diff --git a/fix_timeouts.py b/fix_timeouts.py deleted file mode 100644 index ee19477c..00000000 --- a/fix_timeouts.py +++ /dev/null @@ -1,140 +0,0 @@ -#!/usr/bin/env python3 -"""Add missing timeout= parameter to subprocess calls in agent.py files.""" - -import glob -import re - - -def add_timeout_to_subprocess_calls(filepath): - """Add timeout=120 to subprocess.run/check_output/check_call calls missing it.""" - with open(filepath, "r", encoding="utf-8", errors="replace") as f: - content = f.read() - - original = content - fixes = 0 - - funcs = ["subprocess.run", "subprocess.check_output", "subprocess.check_call"] - - for func in funcs: - start = 0 - while True: - idx = content.find(func + "(", start) - if idx == -1: - break - - # Check if this line is a comment - line_start = content.rfind("\n", 0, idx) + 1 - line_prefix = content[line_start:idx].lstrip() - if line_prefix.startswith("#"): - start = idx + 1 - continue - - # Find matching closing paren with basic string tracking - paren_depth = 0 - pos = idx + len(func) - found_close = -1 - in_str = None - escape_next = False - - while pos < len(content): - ch = content[pos] - - if escape_next: - escape_next = False - pos += 1 - continue - - if ch == "\\": - escape_next = True - pos += 1 - continue - - if in_str is None: - if ch == '"' and content[pos:pos+3] == '"""': - in_str = '"""' - pos += 3 - continue - elif ch == "'" and content[pos:pos+3] == "'''": - in_str = "'''" - pos += 3 - continue - elif ch == '"': - in_str = '"' - elif ch == "'": - in_str = "'" - elif ch == "(": - paren_depth += 1 - elif ch == ")": - if paren_depth == 1: - found_close = pos - break - paren_depth -= 1 - else: - if in_str == '"""' and content[pos:pos+3] == '"""': - in_str = None - pos += 3 - continue - elif in_str == "'''" and content[pos:pos+3] == "'''": - in_str = None - pos += 3 - continue - elif in_str == '"' and ch == '"': - in_str = None - elif in_str == "'" and ch == "'": - in_str = None - - pos += 1 - - if found_close == -1: - start = idx + 1 - continue - - call_content = content[idx:found_close + 1] - - if "timeout" not in call_content: - # Insert timeout=120 before the closing paren - before_close = content[:found_close].rstrip() - after_close = content[found_close + 1:] - - # Determine indentation by looking at the line with the func call - func_line_start = content.rfind("\n", 0, idx) + 1 - indent = "" - for c in content[func_line_start:]: - if c in (" ", "\t"): - indent += c - else: - break - - # Check if call is multiline - call_text = content[idx:found_close] - if "\n" in call_text: - # Multiline: add timeout on new line with proper indent - content = before_close + ", timeout=120\n" + indent + ")" + after_close - else: - # Single line: add inline - content = content[:found_close] + ", timeout=120)" + after_close - - fixes += 1 - - start = idx + 1 - - if fixes > 0: - with open(filepath, "w", encoding="utf-8") as f: - f.write(content) - - return fixes - - -if __name__ == "__main__": - files = sorted(glob.glob("skills/*/scripts/agent.py")) - total_fixed = 0 - files_fixed = 0 - - for filepath in files: - n = add_timeout_to_subprocess_calls(filepath) - if n > 0: - total_fixed += n - files_fixed += 1 - print(f" Fixed {n} calls in {filepath}") - - print(f"\nTotal: {total_fixed} subprocess calls fixed across {files_fixed} files") diff --git a/skills/analyzing-active-directory-acl-abuse/SKILL.md b/skills/analyzing-active-directory-acl-abuse/SKILL.md index b8c47e8c..543d06f0 100644 --- a/skills/analyzing-active-directory-acl-abuse/SKILL.md +++ b/skills/analyzing-active-directory-acl-abuse/SKILL.md @@ -18,6 +18,14 @@ Active Directory Access Control Lists (ACLs) define permissions on AD objects th This skill uses the ldap3 Python library to connect to a Domain Controller, query objects with their nTSecurityDescriptor attribute, parse the binary security descriptor into SDDL (Security Descriptor Definition Language) format, and identify ACEs that grant dangerous permissions to non-administrative principals. These misconfigurations are the basis for ACL-based attack paths discovered by tools like BloodHound. + +## When to Use + +- When investigating security incidents that require analyzing active directory acl abuse +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9 or later with ldap3 library (`pip install ldap3`) diff --git a/skills/analyzing-android-malware-with-apktool/SKILL.md b/skills/analyzing-android-malware-with-apktool/SKILL.md index fe86c4c5..b39d37fb 100644 --- a/skills/analyzing-android-malware-with-apktool/SKILL.md +++ b/skills/analyzing-android-malware-with-apktool/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Android malware distributed as APK files can be statically analyzed to extract permissions, activities, services, broadcast receivers, and suspicious API calls without executing the sample. This skill uses androguard for programmatic APK analysis, identifying dangerous permission combinations, obfuscated code patterns, dynamic code loading, reflection-based API calls, and network communication indicators. + +## When to Use + +- When investigating security incidents that require analyzing android malware with apktool +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `androguard` diff --git a/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md b/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md index d2899365..450ed943 100644 --- a/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md +++ b/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 MITRE ATT&CK Navigator is a web-based tool for annotating and exploring ATT&CK matrices, enabling analysts to visualize threat actor technique coverage, compare multiple APT groups, identify detection gaps, and build threat-informed defense strategies. This skill covers querying ATT&CK data programmatically, mapping APT group TTPs to Navigator layers, creating multi-layer overlays for gap analysis, and generating actionable intelligence reports for detection engineering teams. + +## When to Use + +- When investigating security incidents that require analyzing apt group with mitre navigator +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `attackcti`, `mitreattack-python`, `stix2`, `requests` libraries diff --git a/skills/analyzing-campaign-attribution-evidence/SKILL.md b/skills/analyzing-campaign-attribution-evidence/SKILL.md index a865fc2e..a07b909c 100644 --- a/skills/analyzing-campaign-attribution-evidence/SKILL.md +++ b/skills/analyzing-campaign-attribution-evidence/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attribution indicators using the Diamond Model and ACH (Analysis of Competing Hypotheses), analyzing infrastructure overlaps, TTP consistency, malware code similarities, operational timing patterns, and language artifacts to build confidence-weighted attribution assessments. + +## When to Use + +- When investigating security incidents that require analyzing campaign attribution evidence +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `attackcti`, `stix2`, `networkx` libraries diff --git a/skills/analyzing-certificate-transparency-for-phishing/SKILL.md b/skills/analyzing-certificate-transparency-for-phishing/SKILL.md index 760dba63..c75a80d4 100644 --- a/skills/analyzing-certificate-transparency-for-phishing/SKILL.md +++ b/skills/analyzing-certificate-transparency-for-phishing/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Certificate Transparency (CT) is an Internet security standard that creates a public, append-only log of all issued SSL/TLS certificates. Monitoring CT logs enables early detection of phishing domains that register certificates mimicking legitimate brands, unauthorized certificate issuance for owned domains, and certificate-based attack infrastructure. This skill covers querying CT logs via crt.sh, real-time monitoring with Certstream, building automated alerting for suspicious certificates, and integrating findings into threat intelligence workflows. + +## When to Use + +- When investigating security incidents that require analyzing certificate transparency for phishing +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `requests`, `certstream`, `tldextract`, `Levenshtein` libraries diff --git a/skills/analyzing-cobalt-strike-beacon-configuration/SKILL.md b/skills/analyzing-cobalt-strike-beacon-configuration/SKILL.md index 40a94043..eaca5812 100644 --- a/skills/analyzing-cobalt-strike-beacon-configuration/SKILL.md +++ b/skills/analyzing-cobalt-strike-beacon-configuration/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Cobalt Strike is a commercial adversary simulation tool widely abused by threat actors for post-exploitation operations. Beacon payloads contain embedded configuration data that reveals C2 server addresses, communication protocols, sleep intervals, jitter values, malleable C2 profile settings, watermark identifiers, and encryption keys. Extracting this configuration from PE files, shellcode, or memory dumps is critical for incident responders to map attacker infrastructure and attribute campaigns. The beacon configuration is XOR-encoded using a single byte (0x69 for version 3, 0x2e for version 4) and stored in a Type-Length-Value (TLV) format within the .data section. + +## When to Use + +- When investigating security incidents that require analyzing cobalt strike beacon configuration +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `dissect.cobaltstrike`, `pefile`, `yara-python` diff --git a/skills/analyzing-cobaltstrike-malleable-c2-profiles/SKILL.md b/skills/analyzing-cobaltstrike-malleable-c2-profiles/SKILL.md index 4613f53e..d7ffd222 100644 --- a/skills/analyzing-cobaltstrike-malleable-c2-profiles/SKILL.md +++ b/skills/analyzing-cobaltstrike-malleable-c2-profiles/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Cobalt Strike Malleable C2 profiles are domain-specific language scripts that customize how Beacon communicates with the team server, defining HTTP request/response transformations, sleep intervals, jitter values, user agents, URI paths, and process injection behavior. Threat actors use malleable profiles to disguise C2 traffic as legitimate services (Amazon, Google, Slack). Analyzing these profiles reveals network indicators for detection: URI patterns, HTTP headers, POST/GET transforms, DNS settings, and process injection techniques. The `dissect.cobaltstrike` library can parse both profile files and extract configurations from beacon payloads, while `pyMalleableC2` provides AST-based parsing using Lark grammar for programmatic profile manipulation and validation. + +## When to Use + +- When investigating security incidents that require analyzing cobaltstrike malleable c2 profiles +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `dissect.cobaltstrike` and/or `pyMalleableC2` diff --git a/skills/analyzing-ethereum-smart-contract-vulnerabilities/SKILL.md b/skills/analyzing-ethereum-smart-contract-vulnerabilities/SKILL.md index 67276c4a..0a05706e 100644 --- a/skills/analyzing-ethereum-smart-contract-vulnerabilities/SKILL.md +++ b/skills/analyzing-ethereum-smart-contract-vulnerabilities/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Smart contract vulnerabilities have led to billions of dollars in losses across DeFi protocols. Unlike traditional software, deployed smart contracts are immutable and handle real financial assets, making pre-deployment security analysis critical. Slither performs fast static analysis using an intermediate representation to detect over 90 vulnerability patterns in seconds, while Mythril uses symbolic execution and SMT solving to discover complex execution path vulnerabilities like reentrancy and integer overflows. This skill covers running both tools against Solidity contracts, interpreting results, triaging findings by severity, and generating audit reports. + +## When to Use + +- When investigating security incidents that require analyzing ethereum smart contract vulnerabilities +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.10+ with pip diff --git a/skills/analyzing-golang-malware-with-ghidra/SKILL.md b/skills/analyzing-golang-malware-with-ghidra/SKILL.md index 7948dd9c..3a7ab420 100644 --- a/skills/analyzing-golang-malware-with-ghidra/SKILL.md +++ b/skills/analyzing-golang-malware-with-ghidra/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Go (Golang) has become a popular language for malware authors due to its cross-compilation capabilities, static linking that produces self-contained binaries, and the complexity it introduces for reverse engineering. Go binaries contain the entire runtime, standard library, and all dependencies statically linked, resulting in large binaries (often 5-15MB) with thousands of functions. Ghidra struggles with Go-specific string formats (non-null-terminated), stripped function names, and goroutine concurrency patterns. Specialized tools like GoResolver (Volexity, 2025) use control-flow graph similarity to automatically deobfuscate and recover function names in stripped or obfuscated Go binaries. + +## When to Use + +- When investigating security incidents that require analyzing golang malware with ghidra +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Ghidra 11.0+ with JDK 17+ diff --git a/skills/analyzing-heap-spray-exploitation/SKILL.md b/skills/analyzing-heap-spray-exploitation/SKILL.md index 3b5f5e28..409c9f57 100644 --- a/skills/analyzing-heap-spray-exploitation/SKILL.md +++ b/skills/analyzing-heap-spray-exploitation/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Heap spraying is an exploitation technique that fills large regions of a process's heap with attacker-controlled data (typically NOP sleds followed by shellcode) to increase the reliability of code execution exploits. This skill covers detecting heap spray artifacts in memory dumps using Volatility3's malfind, vadinfo, and memmap plugins, identifying suspicious contiguous memory allocations, scanning for NOP sled patterns (0x90, 0x0c0c0c0c), and extracting embedded shellcode for analysis. + +## When to Use + +- When investigating security incidents that require analyzing heap spray exploitation +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `volatility3` framework installed diff --git a/skills/analyzing-linux-elf-malware/scripts/agent.py b/skills/analyzing-linux-elf-malware/scripts/agent.py index fe4f5606..d3455e47 100644 --- a/skills/analyzing-linux-elf-malware/scripts/agent.py +++ b/skills/analyzing-linux-elf-malware/scripts/agent.py @@ -84,8 +84,8 @@ def extract_strings(filepath, min_length=6): """Extract ASCII strings from the binary and categorize by type.""" stdout, _, rc = subprocess.run( ["strings", "-n", str(min_length), filepath], - capture_output=True, text=True -, timeout=120).stdout, "", 0 + capture_output=True, text=True, timeout=120 + ).stdout, "", 0 if not stdout: return {} all_strings = stdout.strip().splitlines() diff --git a/skills/analyzing-linux-kernel-rootkits/SKILL.md b/skills/analyzing-linux-kernel-rootkits/SKILL.md index a2775fd0..799e67d6 100644 --- a/skills/analyzing-linux-kernel-rootkits/SKILL.md +++ b/skills/analyzing-linux-kernel-rootkits/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Linux kernel rootkits operate at ring 0, modifying kernel data structures to hide processes, files, network connections, and kernel modules from userspace tools. Detection requires either memory forensics (analyzing physical memory dumps with Volatility3) or cross-view analysis (comparing /proc, /sys, and kernel data structures for inconsistencies). This skill covers using Volatility3 Linux plugins to detect syscall table hooks, hidden kernel modules, and modified function pointers, supplemented by live system scanning with rkhunter and chkrootkit. + +## When to Use + +- When investigating security incidents that require analyzing linux kernel rootkits +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Volatility3 installed (pip install volatility3) diff --git a/skills/analyzing-malicious-url-with-urlscan/SKILL.md b/skills/analyzing-malicious-url-with-urlscan/SKILL.md index 8bb8231b..fbe80191 100644 --- a/skills/analyzing-malicious-url-with-urlscan/SKILL.md +++ b/skills/analyzing-malicious-url-with-urlscan/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolated environment. This skill covers using URLScan's web interface and API to investigate phishing URLs, credential harvesting pages, and malicious redirects without exposing the analyst's system to risk. + +## When to Use + +- When investigating security incidents that require analyzing malicious url with urlscan +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - URLScan.io account (free tier available, API key for automation) - Python 3.8+ with requests library diff --git a/skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md b/skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md index 64bb8294..e73479a2 100644 --- a/skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md +++ b/skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Malpedia is a collaborative platform maintained by Fraunhofer FKIE that catalogs malware families with their aliases, YARA rules, threat actor associations, and reference reports. With over 2,600 malware families documented, it serves as the definitive resource for understanding malware lineages, tracking variant evolution, and linking malware to specific threat groups. This skill covers querying the Malpedia API, mapping malware family relationships, extracting YARA rules for detection, and building intelligence on malware ecosystems used by adversaries. + +## When to Use + +- When investigating security incidents that require analyzing malware family relationships with malpedia +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `requests`, `yara-python`, `stix2` libraries diff --git a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md index 0cf1b31d..0c61e66d 100644 --- a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md +++ b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination. + +## When to Use + +- When investigating security incidents that require analyzing malware persistence with autoruns +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Sysinternals Autoruns (GUI) and Autorunsc (CLI) diff --git a/skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md b/skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md index 2839eb13..5cedaace 100644 --- a/skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md +++ b/skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md @@ -22,6 +22,14 @@ license: Apache-2.0 Sandbox evasion (MITRE ATT&CK T1497) allows malware to detect analysis environments and alter behavior to avoid detection. This skill analyzes behavioral reports from Cuckoo Sandbox and AnyRun for evasion indicators including timing-based checks (GetTickCount, QueryPerformanceCounter, sleep inflation), VM artifact detection (registry keys, MAC address prefixes, process names like vmtoolsd.exe), user interaction checks (mouse movement, keyboard input), and environment fingerprinting (disk size, CPU count, RAM). Detection rules flag samples exhibiting these behaviors for deeper manual analysis. + +## When to Use + +- When investigating security incidents that require analyzing malware sandbox evasion techniques +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Cuckoo Sandbox 2.0+ or AnyRun account for behavioral analysis reports diff --git a/skills/analyzing-network-covert-channels-in-malware/SKILL.md b/skills/analyzing-network-covert-channels-in-malware/SKILL.md index f4c42171..ad68dcb3 100644 --- a/skills/analyzing-network-covert-channels-in-malware/SKILL.md +++ b/skills/analyzing-network-covert-channels-in-malware/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Malware uses covert channels to disguise C2 communication and data exfiltration within legitimate-looking network traffic. DNS tunneling encodes data in DNS queries and responses (used by tools like iodine, dnscat2, and malware families like FrameworkPOS). ICMP tunneling hides data in echo request/reply payloads (icmpsh, ptunnel). HTTP covert channels embed C2 data in headers, cookies, or steganographic images. Protocol abuse exploits allowed protocols to bypass firewalls. DNS tunneling detection achieves 99%+ recall with modern ML-based approaches, though low-throughput exfiltration remains challenging. Palo Alto Unit42 tracked three major DNS tunneling campaigns (TrkCdn, SecShow, Savvy Seahorse) through 2024, showing the technique's continued prevalence. + +## When to Use + +- When investigating security incidents that require analyzing network covert channels in malware +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `scapy`, `dpkt`, `dnslib` diff --git a/skills/analyzing-network-packets-with-scapy/SKILL.md b/skills/analyzing-network-packets-with-scapy/SKILL.md index 7595b8fd..583247fb 100644 --- a/skills/analyzing-network-packets-with-scapy/SKILL.md +++ b/skills/analyzing-network-packets-with-scapy/SKILL.md @@ -21,6 +21,14 @@ license: Apache-2.0 Scapy is a Python packet manipulation library that enables crafting, sending, sniffing, and dissecting network packets at granular protocol layers. This skill covers using Scapy for security-relevant tasks including TCP/UDP/ICMP packet crafting, pcap file analysis, protocol field extraction, SYN scan implementation, DNS query analysis, and detecting anomalous traffic patterns such as unusually fragmented packets or malformed headers. + +## When to Use + +- When investigating security incidents that require analyzing network packets with scapy +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.8+ with `scapy` library installed (`pip install scapy`) diff --git a/skills/analyzing-office365-audit-logs-for-compromise/SKILL.md b/skills/analyzing-office365-audit-logs-for-compromise/SKILL.md index 144f44b0..156546ce 100644 --- a/skills/analyzing-office365-audit-logs-for-compromise/SKILL.md +++ b/skills/analyzing-office365-audit-logs-for-compromise/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Business Email Compromise (BEC) attacks often leave traces in Office 365 audit logs: suspicious inbox rule creation, email forwarding to external addresses, mailbox delegation changes, and unauthorized OAuth application consent grants. This skill uses the Microsoft Graph API to query the Unified Audit Log, enumerate inbox rules across mailboxes, detect forwarding configurations, and identify compromised account indicators. + +## When to Use + +- When investigating security incidents that require analyzing office365 audit logs for compromise +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Azure AD app registration with `AuditLog.Read.All`, `MailboxSettings.Read`, `Mail.Read` (application permissions) diff --git a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md index 22a034ba..1611915b 100644 --- a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md +++ b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Adversaries establish persistence on Linux systems through crontab jobs, systemd service/timer units, LD_PRELOAD library injection, shell profile modifications (.bashrc, .profile), SSH authorized_keys backdoors, and init script manipulation. This skill scans for all known persistence vectors, checks file timestamps and integrity, and correlates findings with auditd logs to build a timeline of persistence installation. + +## When to Use + +- When investigating security incidents that require analyzing persistence mechanisms in linux +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Root or sudo access on target Linux system (or forensic image) diff --git a/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md b/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md index 73ac0696..004227b0 100644 --- a/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md +++ b/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Ransomware groups operating under double-extortion models maintain data leak sites (DLS) on Tor hidden services where they post victim names, stolen data samples, and countdown timers to pressure payment. In H1 2025, 96 unique ransomware groups were active, listing approximately 535 victims per month. Monitoring these sites provides intelligence on active threat groups, targeted sectors, geographic patterns, and emerging ransomware families. This skill covers safely collecting DLS intelligence, extracting structured data, tracking group activity trends, and producing sector-specific risk assessments. + +## When to Use + +- When investigating security incidents that require analyzing ransomware leak site intelligence +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `requests`, `beautifulsoup4`, `pandas`, `matplotlib` libraries diff --git a/skills/analyzing-ransomware-network-indicators/SKILL.md b/skills/analyzing-ransomware-network-indicators/SKILL.md index 92bfa410..493ba63f 100644 --- a/skills/analyzing-ransomware-network-indicators/SKILL.md +++ b/skills/analyzing-ransomware-network-indicators/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Before and during ransomware execution, adversaries establish C2 channels, exfiltrate data, and download encryption keys. This skill analyzes Zeek conn.log and NetFlow data to detect beaconing patterns (regular-interval callbacks), connections to known TOR exit nodes, large outbound data transfers, and suspicious DNS activity associated with ransomware families. + +## When to Use + +- When investigating security incidents that require analyzing ransomware network indicators +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Zeek conn.log files or NetFlow CSV/JSON exports diff --git a/skills/analyzing-supply-chain-malware-artifacts/SKILL.md b/skills/analyzing-supply-chain-malware-artifacts/SKILL.md index f35915e0..9cbf6b3a 100644 --- a/skills/analyzing-supply-chain-malware-artifacts/SKILL.md +++ b/skills/analyzing-supply-chain-malware-artifacts/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Supply chain attacks compromise legitimate software distribution channels to deliver malware through trusted update mechanisms. Notable examples include SolarWinds SUNBURST (2020, affecting 18,000+ customers), 3CX SmoothOperator (2023, a cascading supply chain attack originating from Trading Technologies), and numerous npm/PyPI package poisoning campaigns. Analysis involves comparing trojanized binaries against legitimate versions, identifying injected code in build artifacts, examining code signing anomalies, and tracing the infection chain from initial compromise through payload delivery. As of 2025, supply chain attacks account for 30% of all breaches, a 100% increase from prior years. + +## When to Use + +- When investigating security incidents that require analyzing supply chain malware artifacts +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `pefile`, `ssdeep`, `hashlib` diff --git a/skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md b/skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md index b42d84d8..c1e26f7d 100644 --- a/skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md +++ b/skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor behavior to the ATT&CK framework, building technique coverage heatmaps using the ATT&CK Navigator, identifying detection gaps, and producing actionable intelligence reports that link observed IOCs to specific adversary techniques across the Enterprise, Mobile, and ICS matrices. + +## When to Use + +- When investigating security incidents that require analyzing threat actor ttps with mitre attack +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `mitreattack-python`, `attackcti`, `stix2` libraries diff --git a/skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md b/skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md index abe646b3..7974b530 100644 --- a/skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md +++ b/skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md @@ -23,6 +23,14 @@ Combined with the attackcti Python library (which queries ATT&CK STIX data via T can programmatically generate Navigator layer files mapping specific threat group TTPs, compare multiple groups, and assess detection coverage gaps against known adversaries. + +## When to Use + +- When investigating security incidents that require analyzing threat actor ttps with mitre navigator +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.8+ with attackcti and stix2 libraries installed diff --git a/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md b/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md index 03229165..d624fac0 100644 --- a/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md +++ b/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 DNSTwist is a domain name permutation engine that generates similar-looking domain names to detect typosquatting, homograph phishing attacks, and brand impersonation. It creates thousands of domain permutations using techniques like character substitution, transposition, insertion, omission, and homoglyph replacement, then checks DNS records (A, AAAA, NS, MX), calculates web page similarity using fuzzy hashing (ssdeep) and perceptual hashing (pHash), and identifies potentially malicious registered domains. + +## When to Use + +- When investigating security incidents that require analyzing typosquatting domains with dnstwist +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `dnstwist` installed (`pip install dnstwist[full]`) diff --git a/skills/analyzing-windows-prefetch-with-python/SKILL.md b/skills/analyzing-windows-prefetch-with-python/SKILL.md index 9edfc51e..8d817429 100644 --- a/skills/analyzing-windows-prefetch-with-python/SKILL.md +++ b/skills/analyzing-windows-prefetch-with-python/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Windows Prefetch files (.pf) record application execution data including executable names, run counts, timestamps, loaded DLLs, and accessed directories. This skill covers parsing Prefetch files using the windowsprefetch Python library to reconstruct execution timelines, detect renamed or masquerading binaries by comparing executable names with loaded resources, and identifying suspicious programs that may indicate malware execution or lateral movement. + +## When to Use + +- When investigating security incidents that require analyzing windows prefetch with python +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `windowsprefetch` library (pip install windowsprefetch) diff --git a/skills/building-adversary-infrastructure-tracking-system/SKILL.md b/skills/building-adversary-infrastructure-tracking-system/SKILL.md index c2859339..b6b262a6 100644 --- a/skills/building-adversary-infrastructure-tracking-system/SKILL.md +++ b/skills/building-adversary-infrastructure-tracking-system/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Adversary infrastructure tracking uses passive DNS records, certificate transparency logs, WHOIS registration data, and IP enrichment to discover, map, and monitor threat actor command-and-control (C2) networks. Attackers frequently reuse hosting providers, registrars, SSL certificates, and naming patterns across campaigns, enabling analysts to pivot from known indicators to discover new infrastructure. This skill covers building an automated tracking system that identifies infrastructure relationships, detects newly registered domains matching adversary patterns, and maintains a continuously updated map of threat actor networks. + +## When to Use + +- When deploying or configuring building adversary infrastructure tracking system capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Python 3.9+ with `requests`, `dnspython`, `python-whois`, `shodan`, `networkx` libraries diff --git a/skills/building-attack-pattern-library-from-cti-reports/SKILL.md b/skills/building-attack-pattern-library-from-cti-reports/SKILL.md index 11e7b6df..e4f33199 100644 --- a/skills/building-attack-pattern-library-from-cti-reports/SKILL.md +++ b/skills/building-attack-pattern-library-from-cti-reports/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Cyber threat intelligence (CTI) reports from vendors like Mandiant, CrowdStrike, Talos, and Microsoft contain detailed descriptions of adversary behaviors that can be extracted, normalized, and cataloged into a structured attack pattern library. This skill covers parsing CTI reports to extract adversary techniques, mapping behaviors to MITRE ATT&CK technique IDs, creating STIX 2.1 Attack Pattern objects, building a searchable library indexed by tactic, technique, and threat actor, and generating detection rule templates from documented patterns. + +## When to Use + +- When deploying or configuring building attack pattern library from cti reports capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Python 3.9+ with `stix2`, `mitreattack-python`, `spacy`, `requests` libraries diff --git a/skills/building-identity-federation-with-saml-azure-ad/SKILL.md b/skills/building-identity-federation-with-saml-azure-ad/SKILL.md index 3e47a21a..d7d4798d 100644 --- a/skills/building-identity-federation-with-saml-azure-ad/SKILL.md +++ b/skills/building-identity-federation-with-saml-azure-ad/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Identity federation enables users authenticated by one identity provider to access resources managed by another without maintaining separate credentials. This skill covers establishing SAML 2.0 federation between an organization's on-premises Active Directory (via AD FS or third-party IdP) and Microsoft Entra ID (formerly Azure AD), as well as configuring federated SSO for third-party SaaS applications. Federation eliminates password synchronization concerns and keeps authentication authority on-premises while extending SSO to cloud resources. + +## When to Use + +- When deploying or configuring building identity federation with saml azure ad capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - On-premises Active Directory domain diff --git a/skills/building-ioc-defanging-and-sharing-pipeline/SKILL.md b/skills/building-ioc-defanging-and-sharing-pipeline/SKILL.md index 5df20964..e69b9d38 100644 --- a/skills/building-ioc-defanging-and-sharing-pipeline/SKILL.md +++ b/skills/building-ioc-defanging-and-sharing-pipeline/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 IOC defanging modifies potentially malicious indicators (URLs, IP addresses, domains, email addresses) to prevent accidental clicks or execution while preserving readability for analysis and sharing. This skill covers building an automated pipeline that ingests raw IOCs from multiple sources, normalizes and deduplicates them, applies defanging for safe human consumption, converts them to STIX 2.1 format for machine consumption, and distributes through TAXII servers, MISP instances, and email reports. + +## When to Use + +- When deploying or configuring building ioc defanging and sharing pipeline capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Python 3.9+ with `defang`, `ioc-fanger`, `stix2`, `requests`, `validators` libraries diff --git a/skills/building-ioc-enrichment-pipeline-with-opencti/SKILL.md b/skills/building-ioc-enrichment-pipeline-with-opencti/SKILL.md index ef9b4402..59c2af07 100644 --- a/skills/building-ioc-enrichment-pipeline-with-opencti/SKILL.md +++ b/skills/building-ioc-enrichment-pipeline-with-opencti/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its native data model. This skill covers building an automated IOC enrichment pipeline using OpenCTI's connector ecosystem to enrich indicators with context from VirusTotal, Shodan, AbuseIPDB, GreyNoise, and other sources. The pipeline automatically enriches newly ingested indicators, correlates them with known threat actors and campaigns, and scores them for analyst prioritization. + +## When to Use + +- When deploying or configuring building ioc enrichment pipeline with opencti capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Docker and Docker Compose for OpenCTI deployment diff --git a/skills/building-patch-tuesday-response-process/SKILL.md b/skills/building-patch-tuesday-response-process/SKILL.md index a6897025..c497c492 100644 --- a/skills/building-patch-tuesday-response-process/SKILL.md +++ b/skills/building-patch-tuesday-response-process/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview Microsoft releases security updates on the second Tuesday of each month ("Patch Tuesday"), addressing vulnerabilities across Windows, Office, Exchange, SQL Server, Azure services, and other products. In 2025, Microsoft patched over 1,129 vulnerabilities across the year -- an 11.9% increase from 2024 -- making a structured response process critical. The leading risk types include elevation of privilege (49%), remote code execution (34%), and information disclosure (7%). This skill covers building a repeatable Patch Tuesday response workflow from initial advisory review through testing, deployment, and validation. + +## When to Use + +- When deploying or configuring building patch tuesday response process capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Access to Microsoft Security Response Center (MSRC) update guide - Vulnerability management platform (Qualys VMDR, Rapid7, Tenable) diff --git a/skills/building-phishing-reporting-button-workflow/SKILL.md b/skills/building-phishing-reporting-button-workflow/SKILL.md index b43e11e5..9ece3dfc 100644 --- a/skills/building-phishing-reporting-button-workflow/SKILL.md +++ b/skills/building-phishing-reporting-button-workflow/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview A phishing reporting button empowers users to flag suspicious emails directly from their email client, creating a critical feedback loop between end users and the security operations center. Microsoft's built-in Report button is now the recommended approach, replacing the deprecated Report Message and Report Phishing add-ins. When combined with automated triage using SOAR platforms, reported emails can be classified, IOCs extracted, and remediation actions taken within minutes. Organizations with effective phishing reporting programs see 70%+ report rates in phishing simulations. + +## When to Use + +- When deploying or configuring building phishing reporting button workflow capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Microsoft 365 or Google Workspace with administrative access - SOAR platform or automation capability (Microsoft Sentinel, Splunk SOAR, Cortex XSOAR) diff --git a/skills/building-role-mining-for-rbac-optimization/SKILL.md b/skills/building-role-mining-for-rbac-optimization/SKILL.md index 7a10a440..26073ad0 100644 --- a/skills/building-role-mining-for-rbac-optimization/SKILL.md +++ b/skills/building-role-mining-for-rbac-optimization/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Role mining is the process of analyzing existing user-permission assignments to discover optimal roles for a Role-Based Access Control (RBAC) system. Organizations accumulate excessive permissions over time through job changes, project assignments, and ad-hoc access grants, leading to "role explosion" where thousands of granular roles exist with significant overlap. Role mining uses data analysis -- including clustering algorithms, formal concept analysis, and graph-based methods -- to consolidate permissions into a minimal set of roles that accurately represent business functions while enforcing least privilege. + +## When to Use + +- When deploying or configuring building role mining for rbac optimization capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Export of current user-permission assignments (CSV/database) diff --git a/skills/building-threat-actor-profile-from-osint/SKILL.md b/skills/building-threat-actor-profile-from-osint/SKILL.md index a82e810c..a7d43a12 100644 --- a/skills/building-threat-actor-profile-from-osint/SKILL.md +++ b/skills/building-threat-actor-profile-from-osint/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Threat actor profiling using OSINT systematically gathers and analyzes publicly available information to build comprehensive profiles of adversary groups. This skill covers collecting intelligence from public sources (security vendor reports, paste sites, dark web forums, social media, code repositories), correlating indicators across platforms, mapping adversary infrastructure using tools like Maltego and SpiderFoot, and producing structured threat actor dossiers that inform defensive strategies and attribution assessments. + +## When to Use + +- When deploying or configuring building threat actor profile from osint capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Python 3.9+ with `shodan`, `requests`, `beautifulsoup4`, `maltego-trx`, `stix2` libraries diff --git a/skills/building-threat-feed-aggregation-with-misp/SKILL.md b/skills/building-threat-feed-aggregation-with-misp/SKILL.md index 83bbb45a..3423cac9 100644 --- a/skills/building-threat-feed-aggregation-with-misp/SKILL.md +++ b/skills/building-threat-feed-aggregation-with-misp/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 MISP is the leading open-source threat intelligence platform for collecting, storing, distributing, and sharing cybersecurity indicators and threat intelligence. It aggregates feeds from OSINT sources, commercial providers, and sharing communities into a unified platform with automatic correlation, STIX/TAXII export, and direct integration with SIEMs and security tools. This skill covers deploying MISP via Docker, configuring feeds from sources like abuse.ch, AlienVault OTX, and CIRCL, setting up automated feed synchronization, and integrating with Splunk, Elasticsearch, and SOAR platforms. + +## When to Use + +- When deploying or configuring building threat feed aggregation with misp capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Docker and Docker Compose for deployment diff --git a/skills/building-threat-intelligence-platform/SKILL.md b/skills/building-threat-intelligence-platform/SKILL.md index 28508135..8261a63f 100644 --- a/skills/building-threat-intelligence-platform/SKILL.md +++ b/skills/building-threat-intelligence-platform/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Building a Threat Intelligence Platform (TIP) involves deploying and integrating multiple CTI tools into a unified system for collecting, analyzing, enriching, and disseminating threat intelligence. This skill covers designing TIP architecture using open-source tools (MISP, OpenCTI, TheHive, Cortex), configuring feed ingestion pipelines, establishing enrichment workflows, implementing STIX/TAXII interoperability, and building analyst dashboards for CTI operations. + +## When to Use + +- When deploying or configuring building threat intelligence platform capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Docker and Docker Compose for deploying platform components diff --git a/skills/building-vulnerability-aging-and-sla-tracking/SKILL.md b/skills/building-vulnerability-aging-and-sla-tracking/SKILL.md index 21da3d88..577d6c69 100644 --- a/skills/building-vulnerability-aging-and-sla-tracking/SKILL.md +++ b/skills/building-vulnerability-aging-and-sla-tracking/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview With over 30,000 new vulnerabilities identified in 2024 (a 17% increase from the prior year), organizations must track how long vulnerabilities remain unpatched and whether remediation occurs within defined Service Level Agreements (SLAs). Vulnerability aging measures the time between discovery and remediation, while SLA tracking enforces severity-based deadlines. Industry benchmarks indicate standard SLAs of 14 days for critical, 30 days for high, 60 days for medium, and 90 days for low vulnerabilities, though more aggressive timelines (24-48 hours for actively exploited critical CVEs) are increasingly common. This skill covers designing SLA policies, building aging dashboards, implementing automated escalations, and generating compliance metrics. + +## When to Use + +- When deploying or configuring building vulnerability aging and sla tracking capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Vulnerability management platform with historical scan data - Asset inventory with criticality ratings diff --git a/skills/collecting-threat-intelligence-with-misp/SKILL.md b/skills/collecting-threat-intelligence-with-misp/SKILL.md index 44be0731..a2f83ec3 100644 --- a/skills/collecting-threat-intelligence-with-misp/SKILL.md +++ b/skills/collecting-threat-intelligence-with-misp/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform for gathering, sharing, storing, and correlating Indicators of Compromise (IOCs) of targeted attacks, threat intelligence, financial fraud information, vulnerability information, or counter-terrorism information. This skill covers deploying MISP, configuring threat feeds, using the PyMISP API for programmatic access, and building automated collection pipelines that aggregate IOCs from multiple community and commercial sources. + +## When to Use + +- When managing security operations that require collecting threat intelligence with misp +- When improving security program maturity and operational processes +- When establishing standardized procedures for security team workflows +- When integrating threat intelligence or vulnerability data into operations + ## Prerequisites - Python 3.9+ with `pymisp` library installed diff --git a/skills/configuring-microsegmentation-for-zero-trust/SKILL.md b/skills/configuring-microsegmentation-for-zero-trust/SKILL.md index ed69d805..30f794b2 100644 --- a/skills/configuring-microsegmentation-for-zero-trust/SKILL.md +++ b/skills/configuring-microsegmentation-for-zero-trust/SKILL.md @@ -2,8 +2,8 @@ name: configuring-microsegmentation-for-zero-trust description: Configure microsegmentation policies to enforce least-privilege workload-to-workload access using tools like VMware NSX, Illumio, and Calico, preventing lateral movement in zero trust architectures. domain: cybersecurity -subdomain: security-operations -tags: [cybersecurity] +subdomain: zero-trust-architecture +tags: [zero-trust, microsegmentation, network-access, lateral-movement, network-security] version: "1.0" author: mahipal license: Apache-2.0 @@ -11,19 +11,12 @@ license: Apache-2.0 # Configuring Microsegmentation for Zero Trust ---- -domain: cybersecurity -subdomain: zero-trust-architecture -author: mahipal -tags: [zero-trust, microsegmentation, network-access, lateral-movement, network-security] -difficulty: advanced -estimated_time: 4-6 hours -prerequisites: - - Understanding of zero trust principles (NIST SP 800-207) - - Knowledge of network segmentation concepts - - Familiarity with firewall and SDN technologies - - Experience with VMware NSX, Illumio, Guardicore, or Cisco ACI ---- +## Prerequisites + +- Understanding of zero trust principles (NIST SP 800-207) +- Knowledge of network segmentation concepts +- Familiarity with firewall and SDN technologies +- Experience with VMware NSX, Illumio, Guardicore, or Cisco ACI ## Overview diff --git a/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md b/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md index 37e8704e..bdd42af2 100644 --- a/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md +++ b/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 PowerShell is heavily abused by malware authors due to its deep Windows integration and powerful scripting capabilities. Obfuscation techniques include string concatenation, Base64 encoding, character substitution, Invoke-Expression layering, SecureString abuse, environment variable manipulation, and tick-mark insertion. Modern malware uses multiple obfuscation layers requiring iterative deobfuscation. Tools like PSDecode, PowerDecode, and PowerPeeler automate much of this process, while manual AST (Abstract Syntax Tree) analysis handles custom obfuscation. PowerPeeler achieves a 95% deobfuscation correctness rate using instruction-level dynamic analysis of expression-related AST nodes. + +## When to Use + +- When performing authorized security testing that involves deobfuscating powershell obfuscated malware +- When analyzing malware samples or attack artifacts in a controlled environment +- When conducting red team exercises or penetration testing engagements +- When building detection capabilities based on offensive technique understanding + ## Prerequisites - Python 3.9+ with `base64`, `re`, `subprocess` modules diff --git a/skills/deploying-software-defined-perimeter/SKILL.md b/skills/deploying-software-defined-perimeter/SKILL.md index 12ad7e4e..315aac7a 100644 --- a/skills/deploying-software-defined-perimeter/SKILL.md +++ b/skills/deploying-software-defined-perimeter/SKILL.md @@ -2,8 +2,8 @@ name: deploying-software-defined-perimeter description: Deploy a Software-Defined Perimeter using the CSA v2.0 specification with Single Packet Authorization, mutual TLS, and SDP controller/gateway configuration to enforce zero trust network access. domain: cybersecurity -subdomain: security-operations -tags: [cybersecurity] +subdomain: zero-trust-architecture +tags: [zero-trust, sdp, software-defined-perimeter, network-access, ztna] version: "1.0" author: mahipal license: Apache-2.0 @@ -11,19 +11,12 @@ license: Apache-2.0 # Deploying Software-Defined Perimeter ---- -domain: cybersecurity -subdomain: zero-trust-architecture -author: mahipal -tags: [zero-trust, sdp, software-defined-perimeter, network-access, ztna] -difficulty: advanced -estimated_time: 4-6 hours -prerequisites: - - Understanding of zero trust principles (NIST SP 800-207) - - Knowledge of CSA Software-Defined Perimeter specification - - Familiarity with PKI and mutual TLS authentication - - Experience with network security architecture ---- +## Prerequisites + +- Understanding of zero trust principles (NIST SP 800-207) +- Knowledge of CSA Software-Defined Perimeter specification +- Familiarity with PKI and mutual TLS authentication +- Experience with network security architecture ## Overview diff --git a/skills/detecting-arp-poisoning-in-network-traffic/SKILL.md b/skills/detecting-arp-poisoning-in-network-traffic/SKILL.md index f90f7d6c..14ce01d1 100644 --- a/skills/detecting-arp-poisoning-in-network-traffic/SKILL.md +++ b/skills/detecting-arp-poisoning-in-network-traffic/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 ARP poisoning (ARP spoofing) is a Layer 2 attack where an adversary sends falsified ARP messages to associate their MAC address with the IP address of a legitimate host, enabling man-in-the-middle (MitM) interception, session hijacking, or denial of service. Since ARP has no built-in authentication mechanism, any device on a broadcast domain can forge ARP replies. Detection requires monitoring ARP traffic for anomalies such as gratuitous ARP floods, IP-to-MAC mapping changes, and duplicate IP addresses. This skill covers deploying multiple detection layers including ARPWatch, Dynamic ARP Inspection (DAI), Wireshark-based analysis, and custom Python monitoring tools. + +## When to Use + +- When investigating security incidents that require detecting arp poisoning in network traffic +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Access to the target network segment (broadcast domain) diff --git a/skills/detecting-aws-cloudtrail-anomalies/SKILL.md b/skills/detecting-aws-cloudtrail-anomalies/SKILL.md index 2b5f4af8..2c34cd21 100644 --- a/skills/detecting-aws-cloudtrail-anomalies/SKILL.md +++ b/skills/detecting-aws-cloudtrail-anomalies/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 AWS CloudTrail records API calls across AWS services. This skill covers querying CloudTrail events with boto3's `lookup_events` API, building statistical baselines of normal API activity, detecting anomalies such as unusual event sources, geographic anomalies, high-frequency API calls, and first-time API usage patterns that indicate compromised credentials or insider threats. + +## When to Use + +- When investigating security incidents that require detecting aws cloudtrail anomalies +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `boto3` library diff --git a/skills/detecting-aws-iam-privilege-escalation/SKILL.md b/skills/detecting-aws-iam-privilege-escalation/SKILL.md index 874c7e75..bfbf797a 100644 --- a/skills/detecting-aws-iam-privilege-escalation/SKILL.md +++ b/skills/detecting-aws-iam-privilege-escalation/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 This skill uses boto3 and Cloudsplaining-style analysis to identify IAM privilege escalation paths in AWS accounts. It downloads the account authorization details, analyzes each policy for dangerous permission combinations (iam:PassRole + lambda:CreateFunction, iam:CreatePolicyVersion, sts:AssumeRole), and flags policies that violate least-privilege principles. + +## When to Use + +- When investigating security incidents that require detecting aws iam privilege escalation +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.8+ with boto3 library diff --git a/skills/detecting-azure-lateral-movement/SKILL.md b/skills/detecting-azure-lateral-movement/SKILL.md index 26a1c345..bbb9967c 100644 --- a/skills/detecting-azure-lateral-movement/SKILL.md +++ b/skills/detecting-azure-lateral-movement/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Lateral movement in Azure AD/Entra ID differs from on-premises environments. Attackers pivot through OAuth application consent grants, service principal abuse, cross-tenant access policies, and stolen refresh tokens rather than SMB/RDP connections. Detection requires correlating Microsoft Graph API audit logs, Azure AD sign-in logs, and Entra ID protection risk events using KQL queries in Microsoft Sentinel. This skill covers building detection analytics for common Azure lateral movement techniques including application impersonation, mailbox delegation abuse, and conditional access policy bypasses. + +## When to Use + +- When investigating security incidents that require detecting azure lateral movement +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Azure subscription with Microsoft Sentinel workspace configured diff --git a/skills/detecting-business-email-compromise-with-ai/SKILL.md b/skills/detecting-business-email-compromise-with-ai/SKILL.md index fd68d177..cc3d927a 100644 --- a/skills/detecting-business-email-compromise-with-ai/SKILL.md +++ b/skills/detecting-business-email-compromise-with-ai/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview AI-powered BEC detection uses machine learning, NLP, and behavioral analytics to identify sophisticated impersonation attacks that contain no malicious links or attachments. Traditional rule-based filters miss these attacks because BEC relies purely on social engineering. Modern AI approaches analyze writing style, tone, vocabulary, grammatical patterns, and behavioral context to determine if an email genuinely comes from the stated sender. BERT-based models achieve 98.65% accuracy in BEC detection, and AI-enhanced platforms show a 25% increase in phishing identification over keyword-based rules. + +## When to Use + +- When investigating security incidents that require detecting business email compromise with ai +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - AI-powered email security platform (Abnormal Security, Tessian, Microsoft Defender) - Historical email data for baseline training (minimum 30 days) diff --git a/skills/detecting-business-email-compromise/SKILL.md b/skills/detecting-business-email-compromise/SKILL.md index 2c2623d7..77b17bcc 100644 --- a/skills/detecting-business-email-compromise/SKILL.md +++ b/skills/detecting-business-email-compromise/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview Business Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors, or trusted partners to trick employees into transferring funds, sharing sensitive data, or changing payment details. Unlike traditional phishing, BEC often contains no malicious links or attachments, relying purely on social engineering. This skill covers detection techniques using email gateway rules, behavioral analytics, and financial process controls. + +## When to Use + +- When investigating security incidents that require detecting business email compromise +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Email security gateway with BEC detection capabilities - Understanding of organizational financial processes and approval chains diff --git a/skills/detecting-container-escape-attempts/SKILL.md b/skills/detecting-container-escape-attempts/SKILL.md index e110614f..6c1ddee8 100644 --- a/skills/detecting-container-escape-attempts/SKILL.md +++ b/skills/detecting-container-escape-attempts/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Container escape is a critical attack technique where an adversary breaks out of container isolation to access the host system or other containers. Detection involves monitoring for escape indicators such as namespace manipulation, capability abuse, kernel exploits, mounted sensitive paths, and anomalous syscall patterns using runtime security tools like Falco, Sysdig, and custom seccomp/audit rules. + +## When to Use + +- When investigating security incidents that require detecting container escape attempts +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Linux host with kernel 5.10+ (eBPF support) diff --git a/skills/detecting-credential-dumping-techniques/SKILL.md b/skills/detecting-credential-dumping-techniques/SKILL.md index 8c7be9b8..2794ae71 100644 --- a/skills/detecting-credential-dumping-techniques/SKILL.md +++ b/skills/detecting-credential-dumping-techniques/SKILL.md @@ -22,6 +22,14 @@ license: Apache-2.0 Credential dumping (MITRE ATT&CK T1003) is a post-exploitation technique where adversaries extract authentication credentials from OS memory, registry hives, or domain controller databases. This skill covers detection of LSASS memory access via Sysmon Event ID 10 (ProcessAccess), SAM registry hive export via reg.exe, NTDS.dit extraction via ntdsutil/vssadmin, and comsvcs.dll MiniDump abuse. Detection rules analyze GrantedAccess bitmasks, suspicious calling processes, and known tool signatures. + +## When to Use + +- When investigating security incidents that require detecting credential dumping techniques +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Sysmon v14+ deployed with ProcessAccess logging (Event ID 10) for lsass.exe diff --git a/skills/detecting-dns-exfiltration-with-dns-query-analysis/SKILL.md b/skills/detecting-dns-exfiltration-with-dns-query-analysis/SKILL.md index e098642b..fe82dfc3 100644 --- a/skills/detecting-dns-exfiltration-with-dns-query-analysis/SKILL.md +++ b/skills/detecting-dns-exfiltration-with-dns-query-analysis/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 DNS exfiltration exploits the Domain Name System as a covert channel to extract data from compromised networks. Attackers encode stolen data into DNS query names (subdomains) or DNS response records (TXT, CNAME, NULL), bypassing traditional security controls that typically allow DNS traffic unrestricted. Tools like iodine, dnscat2, and dns2tcp enable full TCP tunneling over DNS. Detection requires analyzing DNS query patterns for anomalies including excessive query length, high entropy subdomain strings, abnormal query volumes to single domains, and oversized TXT record responses. This skill covers building a comprehensive DNS exfiltration detection capability using passive DNS analysis, statistical methods, and machine learning approaches. + +## When to Use + +- When investigating security incidents that require detecting dns exfiltration with dns query analysis +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Access to DNS query logs (passive DNS capture, DNS server logs, or PCAP) diff --git a/skills/detecting-email-account-compromise/SKILL.md b/skills/detecting-email-account-compromise/SKILL.md index 099ded9c..6fa7b37c 100644 --- a/skills/detecting-email-account-compromise/SKILL.md +++ b/skills/detecting-email-account-compromise/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Email account compromise (EAC) is a prevalent attack vector where adversaries gain unauthorized access to mailboxes to exfiltrate sensitive data, conduct business email compromise (BEC), or establish persistence through inbox rule manipulation. Attackers commonly create forwarding rules to siphon emails, delete rules to hide evidence, or use OAuth tokens for persistent access. Detection relies on analyzing Microsoft 365 Unified Audit Logs, Azure AD sign-in logs for impossible travel or suspicious locations, inbox rule creation events (Set-InboxRule, New-InboxRule), and Microsoft Graph API access patterns. Key indicators include forwarding rules to external addresses, rules that delete or move messages matching keywords like "invoice" or "payment", and sign-ins from unusual user agents such as python-requests. + +## When to Use + +- When investigating security incidents that require detecting email account compromise +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Microsoft 365 with Unified Audit Logging enabled diff --git a/skills/detecting-exfiltration-over-dns-with-zeek/SKILL.md b/skills/detecting-exfiltration-over-dns-with-zeek/SKILL.md index 4604424f..dbaaaa6f 100644 --- a/skills/detecting-exfiltration-over-dns-with-zeek/SKILL.md +++ b/skills/detecting-exfiltration-over-dns-with-zeek/SKILL.md @@ -18,6 +18,14 @@ DNS tunneling and exfiltration is a technique used by attackers to bypass firewa This skill analyzes Zeek dns.log files (TSV format) to detect exfiltration indicators. The agent computes Shannon entropy for each subdomain component, identifies queries exceeding the 63-character DNS label limit, counts unique subdomains per parent domain, and flags domains that exceed configurable thresholds. These techniques detect tools like dnscat2, iodine, dns2tcp, and custom DNS tunneling implementations. + +## When to Use + +- When investigating security incidents that require detecting exfiltration over dns with zeek +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9 or later with math and collections modules (stdlib) diff --git a/skills/detecting-golden-ticket-forgery/SKILL.md b/skills/detecting-golden-ticket-forgery/SKILL.md index 39adb69d..4be249bc 100644 --- a/skills/detecting-golden-ticket-forgery/SKILL.md +++ b/skills/detecting-golden-ticket-forgery/SKILL.md @@ -22,6 +22,14 @@ license: Apache-2.0 A Golden Ticket attack (MITRE ATT&CK T1558.001) involves forging a Kerberos Ticket Granting Ticket (TGT) using the krbtgt account NTLM hash, granting unrestricted access to any service in the Active Directory domain. This skill detects Golden Ticket usage by analyzing Event ID 4769 for RC4 encryption type (0x17) in environments enforcing AES, identifying tickets with abnormal lifetimes exceeding domain policy, correlating TGS requests with missing corresponding TGT requests (Event ID 4768), and detecting krbtgt password age anomalies. + +## When to Use + +- When investigating security incidents that require detecting golden ticket forgery +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Windows Domain Controller with Kerberos audit logging enabled diff --git a/skills/detecting-insider-threat-with-ueba/SKILL.md b/skills/detecting-insider-threat-with-ueba/SKILL.md index f771eb02..e4ff2918 100644 --- a/skills/detecting-insider-threat-with-ueba/SKILL.md +++ b/skills/detecting-insider-threat-with-ueba/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 User and Entity Behavior Analytics (UEBA) moves beyond static rule-based detection to model normal behavior for users, hosts, and applications, then flag statistically significant deviations that may indicate insider threats. Using Elasticsearch as the analytics backend, this skill covers building behavioral baselines from authentication logs, file access events, and network activity, computing risk scores using statistical deviation and peer group comparison, and correlating multiple low-confidence indicators into high-confidence insider threat alerts. + +## When to Use + +- When investigating security incidents that require detecting insider threat with ueba +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Elasticsearch 8.x or OpenSearch 2.x cluster with security audit data diff --git a/skills/detecting-living-off-the-land-with-lolbas/SKILL.md b/skills/detecting-living-off-the-land-with-lolbas/SKILL.md index 529fd876..1614ee8d 100644 --- a/skills/detecting-living-off-the-land-with-lolbas/SKILL.md +++ b/skills/detecting-living-off-the-land-with-lolbas/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Living Off the Land Binaries, Scripts, and Libraries (LOLBAS) are legitimate system utilities abused by attackers to execute malicious actions while evading detection. This skill covers detecting abuse of certutil.exe, regsvr32.exe, mshta.exe, rundll32.exe, msbuild.exe, and other LOLBins using process telemetry from Sysmon and Windows Event Logs, combined with Sigma rule-based detection. + +## When to Use + +- When investigating security incidents that require detecting living off the land with lolbas +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Sysmon or Windows Security Event Log (Event ID 4688) with command-line logging enabled diff --git a/skills/detecting-malicious-scheduled-tasks-with-sysmon/SKILL.md b/skills/detecting-malicious-scheduled-tasks-with-sysmon/SKILL.md index 3949b3ae..6274d28a 100644 --- a/skills/detecting-malicious-scheduled-tasks-with-sysmon/SKILL.md +++ b/skills/detecting-malicious-scheduled-tasks-with-sysmon/SKILL.md @@ -26,6 +26,14 @@ This skill covers building detection rules that correlate these events to identi malicious scheduled tasks created from suspicious paths, with encoded payloads, or targeting remote systems. + +## When to Use + +- When investigating security incidents that require detecting malicious scheduled tasks with sysmon +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Sysmon installed with a detection-focused configuration (e.g., SwiftOnSecurity or Olaf Hartong) diff --git a/skills/detecting-network-scanning-with-ids-signatures/SKILL.md b/skills/detecting-network-scanning-with-ids-signatures/SKILL.md index 1b0ccc44..09e53201 100644 --- a/skills/detecting-network-scanning-with-ids-signatures/SKILL.md +++ b/skills/detecting-network-scanning-with-ids-signatures/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Network scanning is typically the first phase of an attack, where adversaries enumerate live hosts, open ports, running services, and OS versions using tools like Nmap, Masscan, ZMap, and custom scanners. Detecting this reconnaissance activity provides early warning of potential attacks. IDS/IPS systems like Suricata and Snort can identify scanning through signature-based detection (matching known scanner packet patterns), threshold-based detection (counting connection attempts over time), and anomaly detection (identifying unusual traffic patterns). This skill covers writing and deploying IDS signatures for scan detection, configuring threshold-based alerting, and correlating scan activity with downstream attack indicators. + +## When to Use + +- When investigating security incidents that require detecting network scanning with ids signatures +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Suricata 7.0+ or Snort 3.0+ deployed in IDS/IPS mode diff --git a/skills/detecting-pass-the-ticket-attacks/SKILL.md b/skills/detecting-pass-the-ticket-attacks/SKILL.md index b04ea66a..31ac0913 100644 --- a/skills/detecting-pass-the-ticket-attacks/SKILL.md +++ b/skills/detecting-pass-the-ticket-attacks/SKILL.md @@ -22,6 +22,14 @@ license: Apache-2.0 Pass-the-Ticket (PtT) is a credential theft technique (MITRE ATT&CK T1550.003) where adversaries steal Kerberos tickets (TGT or TGS) from one system and replay them on another to authenticate without knowing the user's password. This skill teaches detection of PtT attacks by correlating Windows Security Event IDs 4768 (TGT request), 4769 (TGS request), and 4771 (pre-authentication failure) for anomalies such as ticket reuse across different hosts, RC4 encryption downgrades, and unusual service ticket request volumes. + +## When to Use + +- When investigating security incidents that require detecting pass the ticket attacks +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Windows Domain Controller with advanced audit policy enabled (Audit Kerberos Authentication Service, Audit Kerberos Service Ticket Operations) diff --git a/skills/detecting-qr-code-phishing-with-email-security/SKILL.md b/skills/detecting-qr-code-phishing-with-email-security/SKILL.md index 8030e76f..5812eb54 100644 --- a/skills/detecting-qr-code-phishing-with-email-security/SKILL.md +++ b/skills/detecting-qr-code-phishing-with-email-security/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview QR code phishing (quishing) is a rapidly growing attack vector where malicious URLs are embedded in QR code images within phishing emails. Quishing incidents grew fivefold from 46,000 to 250,000 between August and November 2025, with credential phishing comprising 89.3% of detected incidents. Traditional email security filters struggle because QR codes cannot be read by humans or standard URL scanners, and when scanned, users typically use personal mobile devices that lack corporate security controls. Attackers have evolved to use split QR codes (two separate images), nested QR codes, and ASCII text-based QR codes to evade detection. + +## When to Use + +- When investigating security incidents that require detecting qr code phishing with email security +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Email security gateway with image analysis capabilities - Understanding of QR code structure and encoding diff --git a/skills/detecting-rdp-brute-force-attacks/SKILL.md b/skills/detecting-rdp-brute-force-attacks/SKILL.md index efe006f9..19116a65 100644 --- a/skills/detecting-rdp-brute-force-attacks/SKILL.md +++ b/skills/detecting-rdp-brute-force-attacks/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 RDP brute force attacks target Windows Remote Desktop Protocol services by attempting rapid credential guessing against exposed RDP endpoints. Detection relies on analyzing Windows Security Event Logs for Event ID 4625 (failed logon with Logon Type 10 or 3) and correlating with Event ID 4624 (successful logon) to identify compromised accounts. This skill covers parsing EVTX files with python-evtx, identifying attack patterns through source IP frequency analysis, detecting NLA bypass attempts, and generating actionable detection reports. + +## When to Use + +- When investigating security incidents that require detecting rdp brute force attacks +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `python-evtx`, `lxml` libraries diff --git a/skills/detecting-shadow-it-cloud-usage/SKILL.md b/skills/detecting-shadow-it-cloud-usage/SKILL.md index d93fceb5..69436489 100644 --- a/skills/detecting-shadow-it-cloud-usage/SKILL.md +++ b/skills/detecting-shadow-it-cloud-usage/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Shadow IT refers to unauthorized SaaS applications and cloud services used without IT approval. This skill analyzes proxy logs, DNS query logs, and firewall/netflow data to identify unauthorized cloud service usage, classify discovered domains against known SaaS categories, measure data transfer volumes, and flag high-risk services based on security posture and compliance requirements. + +## When to Use + +- When investigating security incidents that require detecting shadow it cloud usage +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `pandas`, `tldextract` diff --git a/skills/detecting-spearphishing-with-email-gateway/SKILL.md b/skills/detecting-spearphishing-with-email-gateway/SKILL.md index 00118354..7f19dc09 100644 --- a/skills/detecting-spearphishing-with-email-gateway/SKILL.md +++ b/skills/detecting-spearphishing-with-email-gateway/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview Spearphishing targets specific individuals using personalized, researched content that bypasses generic spam filters. Email security gateways (SEGs) like Microsoft Defender for Office 365, Proofpoint, Mimecast, and Barracuda provide advanced detection capabilities including behavioral analysis, URL detonation, attachment sandboxing, and impersonation detection. This skill covers configuring these gateways to detect and block targeted phishing attacks. + +## When to Use + +- When investigating security incidents that require detecting spearphishing with email gateway +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Access to email security gateway admin console - Understanding of email flow architecture (MX records, transport rules) diff --git a/skills/detecting-suspicious-oauth-application-consent/SKILL.md b/skills/detecting-suspicious-oauth-application-consent/SKILL.md index 7e2739d1..b82f8501 100644 --- a/skills/detecting-suspicious-oauth-application-consent/SKILL.md +++ b/skills/detecting-suspicious-oauth-application-consent/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Illicit consent grant attacks trick users into granting excessive permissions to malicious OAuth applications in Azure AD / Microsoft Entra ID. This skill uses the Microsoft Graph API to enumerate OAuth2 permission grants, analyze application permissions for overly broad scopes, review directory audit logs for consent events, and flag high-risk applications based on publisher verification status and permission scope. + +## When to Use + +- When investigating security incidents that require detecting suspicious oauth application consent +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Azure AD / Entra ID tenant with Global Reader or Security Reader role diff --git a/skills/exploiting-vulnerabilities-with-metasploit-framework/SKILL.md b/skills/exploiting-vulnerabilities-with-metasploit-framework/SKILL.md index fabfa990..1da850bb 100644 --- a/skills/exploiting-vulnerabilities-with-metasploit-framework/SKILL.md +++ b/skills/exploiting-vulnerabilities-with-metasploit-framework/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview The Metasploit Framework is the world's most widely used penetration testing platform, maintained by Rapid7. It contains over 2,300 exploits, 1,200 auxiliary modules, and 400 post-exploitation modules. Within vulnerability management, Metasploit serves as a validation tool to confirm that identified vulnerabilities are actually exploitable, enabling risk-based prioritization and demonstrating real-world impact to stakeholders. + +## When to Use + +- When performing authorized security testing that involves exploiting vulnerabilities with metasploit framework +- When analyzing malware samples or attack artifacts in a controlled environment +- When conducting red team exercises or penetration testing engagements +- When building detection capabilities based on offensive technique understanding + ## Prerequisites - Metasploit Framework installed (Kali Linux or standalone) - PostgreSQL database for session/credential management diff --git a/skills/extracting-config-from-agent-tesla-rat/SKILL.md b/skills/extracting-config-from-agent-tesla-rat/SKILL.md index d6f41965..313129c2 100644 --- a/skills/extracting-config-from-agent-tesla-rat/SKILL.md +++ b/skills/extracting-config-from-agent-tesla-rat/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Agent Tesla is a .NET-based Remote Access Trojan (RAT) and keylogger that ranked among the top 10 malware variants in 2024, impacting 6.3% of corporate networks globally. It exfiltrates stolen credentials via SMTP email, FTP upload, Telegram bot API, or Discord webhooks. The malware configuration is embedded in the .NET assembly, typically obfuscated using string encryption, resource encryption, or custom loaders that decrypt and execute Agent Tesla in memory via .NET Reflection (fileless). Configuration extraction involves decompiling the .NET assembly with dnSpy or ILSpy, identifying the decryption routine for configuration strings, and extracting SMTP server addresses, credentials, FTP endpoints, Telegram bot tokens, and targeted applications. + +## When to Use + +- When performing authorized security testing that involves extracting config from agent tesla rat +- When analyzing malware samples or attack artifacts in a controlled environment +- When conducting red team exercises or penetration testing engagements +- When building detection capabilities based on offensive technique understanding + ## Prerequisites - dnSpy or ILSpy for .NET decompilation diff --git a/skills/hardening-docker-containers-for-production/SKILL.md b/skills/hardening-docker-containers-for-production/SKILL.md index ebf7f660..3bb3e1d0 100644 --- a/skills/hardening-docker-containers-for-production/SKILL.md +++ b/skills/hardening-docker-containers-for-production/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Hardening Docker containers for production involves applying security best practices aligned with CIS Docker Benchmark v1.8.0 to minimize attack surface, prevent privilege escalation, and enforce least-privilege principles across Docker daemon, images, containers, and runtime configurations. + +## When to Use + +- When deploying or configuring hardening docker containers for production capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Docker Engine 24.0+ installed diff --git a/skills/hunting-for-anomalous-powershell-execution/SKILL.md b/skills/hunting-for-anomalous-powershell-execution/SKILL.md index 4a01e295..8cecc12d 100644 --- a/skills/hunting-for-anomalous-powershell-execution/SKILL.md +++ b/skills/hunting-for-anomalous-powershell-execution/SKILL.md @@ -24,6 +24,14 @@ PowerShell. Combined with Module Logging (4103) and process creation events, ana detect encoded commands, AMSI bypass patterns, download cradles, credential theft tools, and fileless attack techniques even when the attacker uses obfuscation layers. + +## When to Use + +- When investigating security incidents that require hunting for anomalous powershell execution +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Windows Event Log exports (.evtx) from Microsoft-Windows-PowerShell/Operational diff --git a/skills/hunting-for-cobalt-strike-beacons/SKILL.md b/skills/hunting-for-cobalt-strike-beacons/SKILL.md index d640f5c8..ba337ed7 100644 --- a/skills/hunting-for-cobalt-strike-beacons/SKILL.md +++ b/skills/hunting-for-cobalt-strike-beacons/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Cobalt Strike is the most prevalent command-and-control framework used by both red teams and threat actors. Beacon, its primary payload, communicates with team servers using configurable HTTP/HTTPS/DNS profiles that can mimic legitimate traffic. However, default configurations and behavioral patterns remain detectable through TLS certificate analysis (default serial 8BB00EE), JA3/JA3S fingerprinting, beacon interval jitter analysis, and HTTP malleable profile pattern matching. This skill covers building detection capabilities using Zeek network logs, Suricata IDS rules, and Python-based PCAP analysis to identify beacon callbacks in network traffic. + +## When to Use + +- When investigating security incidents that require hunting for cobalt strike beacons +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Zeek 6.0+ with JA3 and HASSH packages installed diff --git a/skills/hunting-for-data-staging-before-exfiltration/SKILL.md b/skills/hunting-for-data-staging-before-exfiltration/SKILL.md index d2666d57..52280f74 100644 --- a/skills/hunting-for-data-staging-before-exfiltration/SKILL.md +++ b/skills/hunting-for-data-staging-before-exfiltration/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Before exfiltrating data, adversaries typically stage collected files in a central location (MITRE ATT&CK T1074). This involves creating archives with tools like 7-Zip, RAR, or tar, consolidating files from multiple directories, and using temporary or hidden staging directories. This skill detects staging behavior by analyzing process creation logs for archiver activity, monitoring file system events in common staging paths, and identifying anomalous file consolidation patterns. + +## When to Use + +- When investigating security incidents that require hunting for data staging before exfiltration +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - EDR or Sysmon telemetry with process creation and file system events diff --git a/skills/hunting-for-dns-based-persistence/SKILL.md b/skills/hunting-for-dns-based-persistence/SKILL.md index 4cc29996..54425414 100644 --- a/skills/hunting-for-dns-based-persistence/SKILL.md +++ b/skills/hunting-for-dns-based-persistence/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Attackers establish DNS-based persistence by hijacking DNS records, creating unauthorized subdomains, abusing wildcard DNS entries, or modifying NS delegations to redirect traffic through attacker-controlled infrastructure. These techniques survive credential rotations, endpoint reimaging, and traditional remediation because DNS changes persist independently of compromised hosts. Detection requires passive DNS historical analysis, zone file auditing, and monitoring for unauthorized record modifications. This skill covers hunting methodologies using SecurityTrails passive DNS API, DNS audit logs from Route53/Azure DNS/Cloudflare, and zone transfer analysis. + +## When to Use + +- When investigating security incidents that require hunting for dns based persistence +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - SecurityTrails API key (free tier provides 50 queries/month) diff --git a/skills/hunting-for-domain-fronting-c2-traffic/SKILL.md b/skills/hunting-for-domain-fronting-c2-traffic/SKILL.md index d264fb86..558b3c20 100644 --- a/skills/hunting-for-domain-fronting-c2-traffic/SKILL.md +++ b/skills/hunting-for-domain-fronting-c2-traffic/SKILL.md @@ -22,6 +22,14 @@ license: Apache-2.0 Domain fronting (MITRE ATT&CK T1090.004) is a technique where attackers use different domain names in the TLS SNI field and the HTTP Host header to disguise C2 traffic behind legitimate CDN-hosted domains. This skill detects domain fronting by parsing proxy/web gateway logs for SNI-Host header mismatches, analyzing TLS certificates for CDN provider identification, flagging connections where the SNI points to a high-reputation domain but the Host header targets an attacker-controlled domain, and correlating with known CDN provider IP ranges. + +## When to Use + +- When investigating security incidents that require hunting for domain fronting c2 traffic +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Web proxy or secure web gateway logs with SNI and Host header fields diff --git a/skills/hunting-for-lateral-movement-via-wmi/SKILL.md b/skills/hunting-for-lateral-movement-via-wmi/SKILL.md index ae63b48a..881c43f2 100644 --- a/skills/hunting-for-lateral-movement-via-wmi/SKILL.md +++ b/skills/hunting-for-lateral-movement-via-wmi/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Windows Management Instrumentation (WMI) is commonly abused for lateral movement via `wmic process call create` or Win32_Process.Create() to execute commands on remote hosts. Detection focuses on identifying WmiPrvSE.exe spawning child processes (cmd.exe, powershell.exe) in Windows Security Event ID 4688 and Sysmon Event ID 1 logs, along with WMI-Activity/Operational events (5857, 5860, 5861) for event subscription persistence. + +## When to Use + +- When investigating security incidents that require hunting for lateral movement via wmi +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Windows Security Event Logs with Process Creation auditing enabled (Event 4688 with command line) diff --git a/skills/hunting-for-process-injection-techniques/SKILL.md b/skills/hunting-for-process-injection-techniques/SKILL.md index 32373292..c60c4151 100644 --- a/skills/hunting-for-process-injection-techniques/SKILL.md +++ b/skills/hunting-for-process-injection-techniques/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Process injection (MITRE ATT&CK T1055) allows adversaries to execute code in the address space of another process, enabling defense evasion and privilege escalation. This skill detects injection techniques via Sysmon Event ID 8 (CreateRemoteThread), Event ID 10 (ProcessAccess with suspicious access rights), and analysis of source-target process relationships to distinguish legitimate from malicious injection. + +## When to Use + +- When investigating security incidents that require hunting for process injection techniques +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Sysmon installed with Event IDs 8 and 10 enabled diff --git a/skills/hunting-for-registry-run-key-persistence/SKILL.md b/skills/hunting-for-registry-run-key-persistence/SKILL.md index 670bbdff..c9832e5b 100644 --- a/skills/hunting-for-registry-run-key-persistence/SKILL.md +++ b/skills/hunting-for-registry-run-key-persistence/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Registry Run keys (T1547.001) are one of the most commonly used persistence mechanisms by adversaries. When a program is added to a Run key in the Windows registry, it executes automatically when a user logs in. Attackers abuse keys under `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`, `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`, and their RunOnce counterparts to maintain persistence. Sysmon Event ID 13 (RegistryEvent - Value Set) captures registry value modifications including the target object path, the process that made the change, and the new value. Detection involves monitoring these events for suspicious executables in temp directories, encoded PowerShell commands, LOLBin paths, and processes that do not normally create Run key entries. Chaining Event 13 with Event 1 (Process Creation) and Event 11 (FileCreate) strengthens detection by confirming payload creation and execution. + +## When to Use + +- When investigating security incidents that require hunting for registry run key persistence +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Windows systems with Sysmon installed and configured to log Event ID 13 diff --git a/skills/hunting-for-startup-folder-persistence/SKILL.md b/skills/hunting-for-startup-folder-persistence/SKILL.md index e22d5b71..849e7ca8 100644 --- a/skills/hunting-for-startup-folder-persistence/SKILL.md +++ b/skills/hunting-for-startup-folder-persistence/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Attackers use Windows startup folders for persistence (MITRE ATT&CK T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder). Files placed in `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup` or `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup` execute automatically at user logon. This skill scans startup directories for suspicious files, monitors for real-time changes using Python watchdog, and analyzes file metadata to detect persistence implants. + +## When to Use + +- When investigating security incidents that require hunting for startup folder persistence +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `watchdog`, `pefile` (optional for PE analysis) diff --git a/skills/hunting-for-t1098-account-manipulation/SKILL.md b/skills/hunting-for-t1098-account-manipulation/SKILL.md index b772a547..190ea128 100644 --- a/skills/hunting-for-t1098-account-manipulation/SKILL.md +++ b/skills/hunting-for-t1098-account-manipulation/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 MITRE ATT&CK T1098 (Account Manipulation) covers adversary actions to maintain or expand access to compromised accounts, including adding credentials, modifying group memberships, SID history injection, and creating shadow admin accounts. This skill covers detecting these techniques through Windows Security Event Log analysis (Event IDs 4738, 4728, 4732, 4756, 4670, 5136), correlating group membership changes with privilege escalation indicators, and identifying anomalous account modification patterns. + +## When to Use + +- When investigating security incidents that require hunting for t1098 account manipulation +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Windows Security Event Logs (EVTX format) or SIEM access diff --git a/skills/hunting-for-unusual-service-installations/SKILL.md b/skills/hunting-for-unusual-service-installations/SKILL.md index 861234f2..d97d2d6d 100644 --- a/skills/hunting-for-unusual-service-installations/SKILL.md +++ b/skills/hunting-for-unusual-service-installations/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Attackers frequently install malicious Windows services for persistence and privilege escalation (MITRE ATT&CK T1543.003 — Create or Modify System Process: Windows Service). Event ID 7045 in the System event log records every new service installation. This skill parses .evtx log files to extract service installation events, flags suspicious binary paths (temp directories, PowerShell, cmd.exe, encoded commands), and correlates with known attack patterns. + +## When to Use + +- When investigating security incidents that require hunting for unusual service installations +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + ## Prerequisites - Python 3.9+ with `python-evtx`, `lxml` diff --git a/skills/implementing-anti-phishing-training-program/SKILL.md b/skills/implementing-anti-phishing-training-program/SKILL.md index e54077e4..2293d2eb 100644 --- a/skills/implementing-anti-phishing-training-program/SKILL.md +++ b/skills/implementing-anti-phishing-training-program/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview Security awareness training is the human layer of phishing defense. An effective anti-phishing training program combines regular simulations, interactive learning modules, metric tracking, and positive reinforcement to build a security-conscious culture. This skill covers designing, deploying, and measuring a comprehensive phishing awareness program using platforms like KnowBe4, Proofpoint Security Awareness, and open-source alternatives. + +## When to Use + +- When deploying or configuring implementing anti phishing training program capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Management buy-in and budget approval - Security awareness training platform (KnowBe4, Proofpoint SAT, Cofense) diff --git a/skills/implementing-attack-path-analysis-with-xm-cyber/SKILL.md b/skills/implementing-attack-path-analysis-with-xm-cyber/SKILL.md index 49ae5296..718cfeea 100644 --- a/skills/implementing-attack-path-analysis-with-xm-cyber/SKILL.md +++ b/skills/implementing-attack-path-analysis-with-xm-cyber/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview XM Cyber is a continuous exposure management platform that uses attack graph analysis to identify how adversaries can chain together exposures -- vulnerabilities, misconfigurations, identity risks, and credential weaknesses -- to reach critical business assets. According to XM Cyber's 2024 research analyzing over 40 million exposures across 11.5 million entities, organizations typically have around 15,000 exploitable exposures, but traditional CVEs account for less than 1% of total exposures. The platform identifies that only 2% of exposures reside on "choke points" of converging attack paths, enabling security teams to focus on fixes that eliminate the most risk with the least effort. + +## When to Use + +- When deploying or configuring implementing attack path analysis with xm cyber capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - XM Cyber platform license and tenant access - Network connectivity to monitored environments (on-premises, cloud, hybrid) diff --git a/skills/implementing-aws-iam-permission-boundaries/SKILL.md b/skills/implementing-aws-iam-permission-boundaries/SKILL.md index 259469f3..8b10e338 100644 --- a/skills/implementing-aws-iam-permission-boundaries/SKILL.md +++ b/skills/implementing-aws-iam-permission-boundaries/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 IAM permission boundaries are an advanced AWS feature that sets the maximum permissions an identity-based policy can grant to an IAM entity (user or role). They enable centralized security teams to safely delegate IAM role and policy creation to application developers without risking privilege escalation. The effective permissions of an entity are the intersection of its identity-based policies and its permission boundary -- even if an identity policy grants `AdministratorAccess`, the permission boundary restricts it to only the allowed actions. + +## When to Use + +- When deploying or configuring implementing aws iam permission boundaries capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - AWS account with IAM administrative access diff --git a/skills/implementing-azure-ad-privileged-identity-management/SKILL.md b/skills/implementing-azure-ad-privileged-identity-management/SKILL.md index 6baced2e..ca59b96d 100644 --- a/skills/implementing-azure-ad-privileged-identity-management/SKILL.md +++ b/skills/implementing-azure-ad-privileged-identity-management/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Microsoft Entra Privileged Identity Management (PIM) provides time-based and approval-based role activation to mitigate risks from excessive, unnecessary, or misused access to critical resources. PIM replaces permanent (standing) privilege assignments with eligible assignments that require users to explicitly activate their role before use, with configurable duration, MFA enforcement, approval workflows, and justification requirements. This is a core component of Zero Trust identity governance in Microsoft environments. + +## When to Use + +- When deploying or configuring implementing azure ad privileged identity management capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Microsoft Entra ID P2 or Microsoft Entra ID Governance license diff --git a/skills/implementing-bgp-security-with-rpki/SKILL.md b/skills/implementing-bgp-security-with-rpki/SKILL.md index 78a8106a..f98df5ce 100644 --- a/skills/implementing-bgp-security-with-rpki/SKILL.md +++ b/skills/implementing-bgp-security-with-rpki/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Resource Public Key Infrastructure (RPKI) provides cryptographic validation of BGP route origins to prevent route hijacking and accidental route leaks. RPKI enables network operators to create Route Origin Authorizations (ROAs) that declare which Autonomous Systems (ASes) are authorized to originate specific IP prefixes. BGP routers validate received route announcements against RPKI data through Route Origin Validation (ROV), rejecting routes with invalid origins. This skill covers creating ROAs through Regional Internet Registries (RIRs), deploying RPKI validator software, configuring ROV on Cisco IOS-XE and Juniper Junos routers, and implementing BGP filtering policies based on RPKI validation state. + +## When to Use + +- When deploying or configuring implementing bgp security with rpki capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - IP address space allocated from an RIR (ARIN, RIPE, APNIC, AFRINIC, LACNIC) diff --git a/skills/implementing-container-network-policies-with-calico/SKILL.md b/skills/implementing-container-network-policies-with-calico/SKILL.md index aae54597..2999efd4 100644 --- a/skills/implementing-container-network-policies-with-calico/SKILL.md +++ b/skills/implementing-container-network-policies-with-calico/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Calico provides Kubernetes-native and extended network policy enforcement through its CNI plugin. This skill covers creating and auditing Calico NetworkPolicy and GlobalNetworkPolicy resources to implement pod-to-pod traffic control, namespace isolation, egress restrictions, and DNS-based policy rules using calicoctl and the Kubernetes API. + +## When to Use + +- When deploying or configuring implementing container network policies with calico capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Kubernetes cluster with Calico CNI installed diff --git a/skills/implementing-continuous-security-validation-with-bas/SKILL.md b/skills/implementing-continuous-security-validation-with-bas/SKILL.md index 5aa6a55a..0db9e9bc 100644 --- a/skills/implementing-continuous-security-validation-with-bas/SKILL.md +++ b/skills/implementing-continuous-security-validation-with-bas/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview Breach and Attack Simulation (BAS) is an automated, continuous approach to validating security control effectiveness by safely executing real-world attack techniques against production security infrastructure. Unlike traditional penetration testing (point-in-time), BAS platforms continuously simulate threats mapped to MITRE ATT&CK, testing endpoint protection, network security, email gateways, SIEM detection, and incident response capabilities. Leading platforms include SafeBreach, AttackIQ, Picus Security (2024 Gartner Customers' Choice), Cymulate, Pentera, and SCYTHE. BAS 2.0 solutions safely emulate real attacker behavior across the entire IT environment without requiring pre-deployed agents on every endpoint. + +## When to Use + +- When deploying or configuring implementing continuous security validation with bas capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - BAS platform license (SafeBreach, AttackIQ, Picus, Cymulate, or Pentera) - Deployed security controls to validate (EDR, NGFW, email gateway, SIEM, WAF) diff --git a/skills/implementing-ddos-mitigation-with-cloudflare/SKILL.md b/skills/implementing-ddos-mitigation-with-cloudflare/SKILL.md index d565703e..2c925c4b 100644 --- a/skills/implementing-ddos-mitigation-with-cloudflare/SKILL.md +++ b/skills/implementing-ddos-mitigation-with-cloudflare/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Cloudflare provides multi-layer DDoS protection across its global network of over 300 data centers with 477+ Tbps of capacity. The platform protects against L3/4 volumetric attacks (SYN floods, UDP amplification, DNS reflection), protocol attacks (Ping of Death, Smurf), and L7 application-layer attacks (HTTP floods, Slowloris, cache-busting). Cloudflare's autonomous detection systems identify and mitigate attacks within approximately 3 seconds using traffic profiling, machine learning, and adaptive rulesets. This skill covers configuring Cloudflare's DDoS protection stack including managed rulesets, WAF rules, rate limiting, Bot Management, and origin server hardening. + +## When to Use + +- When deploying or configuring implementing ddos mitigation with cloudflare capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Cloudflare account (Pro plan minimum for WAF, Enterprise for Advanced DDoS) diff --git a/skills/implementing-deception-based-detection-with-canarytoken/SKILL.md b/skills/implementing-deception-based-detection-with-canarytoken/SKILL.md index ac5ed2ea..01dc5dfe 100644 --- a/skills/implementing-deception-based-detection-with-canarytoken/SKILL.md +++ b/skills/implementing-deception-based-detection-with-canarytoken/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Canary Tokens are lightweight tripwire mechanisms that alert when an attacker accesses a resource. This skill uses the Thinkst Canary REST API to programmatically create tokens (web bugs, DNS tokens, MS Word documents, AWS API keys), deploy them to strategic locations, monitor for triggered alerts, and generate deception coverage reports. + +## When to Use + +- When deploying or configuring implementing deception based detection with canarytoken capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Thinkst Canary Console or canarytokens.org account diff --git a/skills/implementing-diamond-model-analysis/SKILL.md b/skills/implementing-diamond-model-analysis/SKILL.md index a497cccb..c97fcdae 100644 --- a/skills/implementing-diamond-model-analysis/SKILL.md +++ b/skills/implementing-diamond-model-analysis/SKILL.md @@ -18,6 +18,14 @@ license: Apache-2.0 The Diamond Model of Intrusion Analysis provides a structured framework for analyzing cyber intrusions by examining four core features: Adversary, Capability, Infrastructure, and Victim. This skill covers implementing the Diamond Model programmatically to classify and correlate intrusion events, build activity threads linking related events, create activity-attack graphs, and generate pivot-ready intelligence from intrusion data. + +## When to Use + +- When deploying or configuring implementing diamond model analysis capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Python 3.9+ with `networkx`, `stix2`, `graphviz` libraries diff --git a/skills/implementing-dmarc-dkim-spf-email-security/SKILL.md b/skills/implementing-dmarc-dkim-spf-email-security/SKILL.md index daf918c5..37272447 100644 --- a/skills/implementing-dmarc-dkim-spf-email-security/SKILL.md +++ b/skills/implementing-dmarc-dkim-spf-email-security/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview SPF, DKIM, and DMARC form the three pillars of email authentication. Together they prevent domain spoofing, validate message integrity, and define policies for handling unauthenticated mail. Proper implementation drastically reduces phishing attacks that impersonate your organization's domain. + +## When to Use + +- When deploying or configuring implementing dmarc dkim spf email security capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - DNS management access for your domain - Access to email server/MTA configuration (Postfix, Exchange, Google Workspace, Microsoft 365) diff --git a/skills/implementing-email-sandboxing-with-proofpoint/SKILL.md b/skills/implementing-email-sandboxing-with-proofpoint/SKILL.md index 9e20f973..9aaf1051 100644 --- a/skills/implementing-email-sandboxing-with-proofpoint/SKILL.md +++ b/skills/implementing-email-sandboxing-with-proofpoint/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview Email sandboxing detonates suspicious attachments and URLs in isolated environments to detect zero-day malware and evasive phishing payloads. Proofpoint Targeted Attack Protection (TAP) is an industry-leading solution that uses multi-stage sandboxing, URL rewriting, and predictive analysis. This skill covers configuring Proofpoint TAP, integrating with email flow, analyzing sandbox reports, and tuning detection policies. + +## When to Use + +- When deploying or configuring implementing email sandboxing with proofpoint capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Proofpoint Email Protection license with TAP add-on - Admin access to Proofpoint admin console diff --git a/skills/implementing-endpoint-detection-with-wazuh/SKILL.md b/skills/implementing-endpoint-detection-with-wazuh/SKILL.md index 865dceeb..79275208 100644 --- a/skills/implementing-endpoint-detection-with-wazuh/SKILL.md +++ b/skills/implementing-endpoint-detection-with-wazuh/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Wazuh is an open-source SIEM and XDR platform for endpoint monitoring, threat detection, and compliance. This skill covers managing agents via the Wazuh REST API, creating custom decoders and rules in XML for organization-specific detections, querying alerts, and testing rule logic using the logtest endpoint. + +## When to Use + +- When deploying or configuring implementing endpoint detection with wazuh capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Wazuh Manager 4.x deployed with API enabled diff --git a/skills/implementing-file-integrity-monitoring-with-aide/SKILL.md b/skills/implementing-file-integrity-monitoring-with-aide/SKILL.md index a5a5e806..864913c1 100644 --- a/skills/implementing-file-integrity-monitoring-with-aide/SKILL.md +++ b/skills/implementing-file-integrity-monitoring-with-aide/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 AIDE (Advanced Intrusion Detection Environment) is a host-based intrusion detection system that monitors file and directory integrity using cryptographic checksums. This skill covers generating AIDE configuration files, initializing baseline databases, running integrity checks, parsing change reports, and setting up automated cron-based monitoring with alerting. + +## When to Use + +- When deploying or configuring implementing file integrity monitoring with aide capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - AIDE installed on target Linux system (apt install aide / yum install aide) diff --git a/skills/implementing-fuzz-testing-in-cicd-with-aflplusplus/SKILL.md b/skills/implementing-fuzz-testing-in-cicd-with-aflplusplus/SKILL.md index 2e511118..fb90b440 100644 --- a/skills/implementing-fuzz-testing-in-cicd-with-aflplusplus/SKILL.md +++ b/skills/implementing-fuzz-testing-in-cicd-with-aflplusplus/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 AFL++ (American Fuzzy Lop Plus Plus) is a community-maintained fork of AFL that provides state-of-the-art coverage-guided fuzz testing for discovering vulnerabilities in compiled applications. AFL++ uses genetic algorithms to mutate inputs, tracking code coverage to find new execution paths that trigger crashes, hangs, and undefined behavior. In CI/CD environments, AFL++ can be integrated to continuously test parsers, protocol handlers, file format processors, and any code that handles untrusted input. AFL++ supports persistent mode for high-speed fuzzing (up to 100,000+ executions per second), custom mutators, QEMU mode for binary-only fuzzing, and CmpLog/RedQueen for automatic dictionary extraction. + +## When to Use + +- When deploying or configuring implementing fuzz testing in cicd with aflplusplus capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Linux-based CI runners (AFL++ does not support Windows natively) diff --git a/skills/implementing-gdpr-data-protection-controls/SKILL.md b/skills/implementing-gdpr-data-protection-controls/SKILL.md index 6801125e..68c0ee37 100644 --- a/skills/implementing-gdpr-data-protection-controls/SKILL.md +++ b/skills/implementing-gdpr-data-protection-controls/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 ## Overview The General Data Protection Regulation (EU) 2016/679 (GDPR) is the EU's comprehensive data protection law governing the collection, processing, storage, and transfer of personal data. This skill covers implementing the technical and organizational measures required by GDPR, including data protection by design and by default, Data Protection Impact Assessments (DPIAs), data subject rights management, breach notification procedures, and cross-border data transfer mechanisms. + +## When to Use + +- When deploying or configuring implementing gdpr data protection controls capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Understanding of EU data protection law and its territorial scope - Knowledge of personal data processing activities within the organization diff --git a/skills/implementing-github-advanced-security-for-code-scanning/SKILL.md b/skills/implementing-github-advanced-security-for-code-scanning/SKILL.md index 9a712abb..100c8d0e 100644 --- a/skills/implementing-github-advanced-security-for-code-scanning/SKILL.md +++ b/skills/implementing-github-advanced-security-for-code-scanning/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 GitHub Advanced Security (GHAS) integrates CodeQL-powered static application security testing directly into the GitHub development workflow. CodeQL treats code as data, enabling semantic analysis that identifies security vulnerabilities such as SQL injection, cross-site scripting, buffer overflows, and authentication flaws with significantly fewer false positives than traditional pattern-matching scanners. GHAS encompasses code scanning, secret scanning, dependency review, and Dependabot alerts to provide a comprehensive security posture for repositories. + +## When to Use + +- When deploying or configuring implementing github advanced security for code scanning capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - GitHub Enterprise Cloud or GitHub Enterprise Server 3.0+ with GHAS license diff --git a/skills/implementing-google-workspace-phishing-protection/SKILL.md b/skills/implementing-google-workspace-phishing-protection/SKILL.md index 814b6c20..d64cc5a6 100644 --- a/skills/implementing-google-workspace-phishing-protection/SKILL.md +++ b/skills/implementing-google-workspace-phishing-protection/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview Google Workspace provides advanced phishing and malware protection through the Admin Console under Apps > Google Workspace > Gmail > Safety. Key features include Enhanced Pre-Delivery Scanning that examines messages more thoroughly before they reach inboxes, attachment and link protection that scans for malware and checks against known malicious sites, and spoofing detection for domain and employee name impersonation. Google's Advanced Protection Program (APP) provides the strongest account security for high-privilege users. + +## When to Use + +- When deploying or configuring implementing google workspace phishing protection capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Google Workspace Business Standard or higher license - Gmail Settings administrator privilege diff --git a/skills/implementing-google-workspace-sso-configuration/SKILL.md b/skills/implementing-google-workspace-sso-configuration/SKILL.md index 2c37297a..1ac5d228 100644 --- a/skills/implementing-google-workspace-sso-configuration/SKILL.md +++ b/skills/implementing-google-workspace-sso-configuration/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Single Sign-On (SSO) for Google Workspace allows organizations to authenticate users through their existing identity provider (IdP) such as Okta, Azure AD (Microsoft Entra ID), or ADFS, rather than managing separate Google passwords. This is implemented using SAML 2.0 protocol where Google Workspace acts as the Service Provider (SP) and the organization's IdP handles authentication. SSO centralizes credential management, enforces MFA policies at the IdP, and enables immediate access revocation when users leave the organization. + +## When to Use + +- When deploying or configuring implementing google workspace sso configuration capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Google Workspace Business, Enterprise, or Education edition diff --git a/skills/implementing-identity-verification-for-zero-trust/SKILL.md b/skills/implementing-identity-verification-for-zero-trust/SKILL.md index 5295fba2..20c35f4b 100644 --- a/skills/implementing-identity-verification-for-zero-trust/SKILL.md +++ b/skills/implementing-identity-verification-for-zero-trust/SKILL.md @@ -2,8 +2,8 @@ name: implementing-identity-verification-for-zero-trust description: Implement continuous identity verification for zero trust using phishing-resistant MFA (FIDO2/WebAuthn), risk-based conditional access, and identity governance aligned with the CISA Zero Trust Maturity Model. domain: cybersecurity -subdomain: security-operations -tags: [cybersecurity] +subdomain: zero-trust-architecture +tags: [zero-trust, identity, authentication, mfa, identity-verification] version: "1.0" author: mahipal license: Apache-2.0 @@ -11,19 +11,12 @@ license: Apache-2.0 # Implementing Identity Verification for Zero Trust ---- -domain: cybersecurity -subdomain: zero-trust-architecture -author: mahipal -tags: [zero-trust, identity, authentication, mfa, identity-verification] -difficulty: advanced -estimated_time: 4-6 hours -prerequisites: - - Understanding of zero trust principles (NIST SP 800-207) - - Familiarity with identity providers (Azure AD, Okta, Ping Identity) - - Knowledge of authentication protocols (SAML 2.0, OIDC, FIDO2) - - Understanding of MFA and passwordless authentication ---- +## Prerequisites + +- Understanding of zero trust principles (NIST SP 800-207) +- Familiarity with identity providers (Azure AD, Okta, Ping Identity) +- Knowledge of authentication protocols (SAML 2.0, OIDC, FIDO2) +- Understanding of MFA and passwordless authentication ## Overview diff --git a/skills/implementing-iso-27001-information-security-management/SKILL.md b/skills/implementing-iso-27001-information-security-management/SKILL.md index ca6d050b..8ba5e925 100644 --- a/skills/implementing-iso-27001-information-security-management/SKILL.md +++ b/skills/implementing-iso-27001-information-security-management/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 ## Overview ISO/IEC 27001:2022 is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). This skill covers the complete lifecycle from scoping through certification, including Annex A control selection, risk assessment methodology, Statement of Applicability (SoA) creation, and continuous improvement processes. + +## When to Use + +- When deploying or configuring implementing iso 27001 information security management capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Understanding of information security principles and risk management concepts - Familiarity with organizational governance structures and business processes diff --git a/skills/implementing-kubernetes-pod-security-standards/SKILL.md b/skills/implementing-kubernetes-pod-security-standards/SKILL.md index c0e5fa15..5c423ae8 100644 --- a/skills/implementing-kubernetes-pod-security-standards/SKILL.md +++ b/skills/implementing-kubernetes-pod-security-standards/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Pod Security Standards (PSS) define three levels of security policies -- Privileged, Baseline, and Restricted -- enforced by the Pod Security Admission (PSA) controller built into Kubernetes 1.25+. PSA replaces the deprecated PodSecurityPolicy and provides namespace-level enforcement with three modes: enforce, audit, and warn. + +## When to Use + +- When deploying or configuring implementing kubernetes pod security standards capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Kubernetes cluster 1.25+ (PSA GA) diff --git a/skills/implementing-log-forwarding-with-fluentd/SKILL.md b/skills/implementing-log-forwarding-with-fluentd/SKILL.md index ef7a145b..47a827df 100644 --- a/skills/implementing-log-forwarding-with-fluentd/SKILL.md +++ b/skills/implementing-log-forwarding-with-fluentd/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 This skill covers configuring Fluentd and Fluent Bit for centralized log collection, routing, and enrichment. Fluent Bit acts as a lightweight log forwarder on endpoints, while Fluentd serves as the central aggregator and processor. The configuration covers input plugins for syslog, file tailing, and application logs, with output routing to Elasticsearch, S3, and Splunk. + +## When to Use + +- When deploying or configuring implementing log forwarding with fluentd capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Fluentd (td-agent) v1.16+ or Fluent Bit v3.0+ diff --git a/skills/implementing-mimecast-targeted-attack-protection/SKILL.md b/skills/implementing-mimecast-targeted-attack-protection/SKILL.md index 836f7a3d..64e8be3d 100644 --- a/skills/implementing-mimecast-targeted-attack-protection/SKILL.md +++ b/skills/implementing-mimecast-targeted-attack-protection/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview Mimecast Targeted Threat Protection (TTP) is a suite of advanced email security services designed to protect against sophisticated phishing, spearphishing, and targeted attacks. TTP consists of four core modules: URL Protect (real-time URL rewriting and click-time analysis), Attachment Protect (sandbox detonation of suspicious attachments), Impersonation Protect (BEC and whaling detection), and Internal Email Protect (scanning internal/outbound email for threats). As of November 2025, Mimecast enabled URL Pre-Delivery Action with Hold setting for all customers by default. + +## When to Use + +- When deploying or configuring implementing mimecast targeted attack protection capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Mimecast Email Security license with TTP add-on - Administrative access to Mimecast Administration Console diff --git a/skills/implementing-network-access-control-with-cisco-ise/SKILL.md b/skills/implementing-network-access-control-with-cisco-ise/SKILL.md index 0946f0f0..c2eaee15 100644 --- a/skills/implementing-network-access-control-with-cisco-ise/SKILL.md +++ b/skills/implementing-network-access-control-with-cisco-ise/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Cisco Identity Services Engine (ISE) provides centralized network access control through 802.1X authentication, MAC Authentication Bypass (MAB), posture assessment, and guest access management. ISE acts as a RADIUS policy server that evaluates authentication requests from network devices (switches, wireless controllers) and returns authorization policies including VLAN assignments, downloadable ACLs (dACLs), and Security Group Tags (SGTs). This skill covers deploying ISE for enterprise wired 802.1X authentication with Active Directory integration, MAB fallback, posture compliance enforcement, and TrustSec segmentation. + +## When to Use + +- When deploying or configuring implementing network access control with cisco ise capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Cisco ISE 3.1+ appliance or virtual machine (16 CPU cores, 64GB RAM minimum for production) diff --git a/skills/implementing-network-intrusion-prevention-with-suricata/SKILL.md b/skills/implementing-network-intrusion-prevention-with-suricata/SKILL.md index 624fa401..77122832 100644 --- a/skills/implementing-network-intrusion-prevention-with-suricata/SKILL.md +++ b/skills/implementing-network-intrusion-prevention-with-suricata/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Suricata is a high-performance, open-source network threat detection engine developed by the Open Information Security Foundation (OISF). It functions as an IDS (Intrusion Detection System), IPS (Intrusion Prevention System), and network security monitoring tool. Suricata performs deep packet inspection using extensive rule sets, protocol analysis, and file extraction capabilities. In IPS mode, Suricata inspects packets inline and can actively block malicious traffic. This skill covers deploying Suricata in IPS mode, configuring rulesets, writing custom rules, performance tuning, and integration with logging infrastructure. + +## When to Use + +- When deploying or configuring implementing network intrusion prevention with suricata capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Linux server (Ubuntu 22.04+ or CentOS 8+) with 4+ CPU cores and 8GB+ RAM diff --git a/skills/implementing-network-policies-for-kubernetes/SKILL.md b/skills/implementing-network-policies-for-kubernetes/SKILL.md index 22bb58d4..2012ee01 100644 --- a/skills/implementing-network-policies-for-kubernetes/SKILL.md +++ b/skills/implementing-network-policies-for-kubernetes/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Kubernetes NetworkPolicies provide pod-level network segmentation by defining ingress and egress rules that control traffic flow between pods, namespaces, and external endpoints. Combined with CNI plugins like Calico or Cilium, network policies enforce zero-trust microsegmentation to prevent lateral movement within the cluster. + +## When to Use + +- When deploying or configuring implementing network policies for kubernetes capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Kubernetes cluster with NetworkPolicy-supporting CNI (Calico, Cilium, Antrea) diff --git a/skills/implementing-network-segmentation-with-firewall-zones/SKILL.md b/skills/implementing-network-segmentation-with-firewall-zones/SKILL.md index 1135125a..db742b06 100644 --- a/skills/implementing-network-segmentation-with-firewall-zones/SKILL.md +++ b/skills/implementing-network-segmentation-with-firewall-zones/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Network segmentation divides a flat network into isolated security zones with firewall-enforced boundaries to contain breaches, restrict lateral movement, and enforce least-privilege access between workloads. Segmentation is a foundational control required by PCI DSS, HIPAA, NIST 800-53, and zero trust architectures. Modern segmentation combines traditional VLAN-based approaches with microsegmentation at the workload level for granular east-west traffic control. This skill covers designing zone architectures, configuring inter-zone firewall policies, implementing VLAN segmentation on switches, and deploying microsegmentation for dynamic environments. + +## When to Use + +- When deploying or configuring implementing network segmentation with firewall zones capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Network topology documentation with asset inventory diff --git a/skills/implementing-network-traffic-baselining/SKILL.md b/skills/implementing-network-traffic-baselining/SKILL.md index ea3a9837..9c1eee8b 100644 --- a/skills/implementing-network-traffic-baselining/SKILL.md +++ b/skills/implementing-network-traffic-baselining/SKILL.md @@ -22,6 +22,14 @@ license: Apache-2.0 Network traffic baselining establishes normal communication patterns by analyzing historical NetFlow/IPFIX data to create statistical profiles of expected behavior. This skill uses Python pandas to compute hourly and daily traffic distributions, per-host byte/packet counts, protocol ratios, and top-N talker profiles. Anomalies are detected using z-score thresholds and IQR (interquartile range) outlier methods, enabling SOC analysts to identify deviations such as data exfiltration spikes, beaconing patterns, and unusual port usage. + +## When to Use + +- When deploying or configuring implementing network traffic baselining capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - NetFlow v5/v9 or IPFIX flow data exported as CSV or JSON diff --git a/skills/implementing-next-generation-firewall-with-palo-alto/SKILL.md b/skills/implementing-next-generation-firewall-with-palo-alto/SKILL.md index 1cadfc76..8f9e5928 100644 --- a/skills/implementing-next-generation-firewall-with-palo-alto/SKILL.md +++ b/skills/implementing-next-generation-firewall-with-palo-alto/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Palo Alto Networks Next-Generation Firewalls (NGFWs) move beyond traditional port-based rule enforcement to application-aware, identity-driven security policies. By leveraging App-ID for traffic classification, User-ID for identity-based enforcement, Content-ID for threat inspection, and SSL decryption for encrypted traffic visibility, organizations gain comprehensive control over network traffic. This skill covers end-to-end deployment from initial configuration through advanced threat prevention profiles. + +## When to Use + +- When deploying or configuring implementing next generation firewall with palo alto capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Palo Alto Networks PA-series appliance or VM-Series virtual firewall diff --git a/skills/implementing-patch-management-workflow/SKILL.md b/skills/implementing-patch-management-workflow/SKILL.md index 4c0a896d..4207a63a 100644 --- a/skills/implementing-patch-management-workflow/SKILL.md +++ b/skills/implementing-patch-management-workflow/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview Patch management is the systematic process of identifying, testing, deploying, and verifying software updates to remediate vulnerabilities across an organization's IT infrastructure. An effective patch management workflow reduces the attack surface while minimizing operational disruption through structured testing, approval gates, and phased rollouts. + +## When to Use + +- When deploying or configuring implementing patch management workflow capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Vulnerability scan results identifying missing patches - Patch management tools (WSUS, SCCM/MECM, Ansible, Intune, Jamf) diff --git a/skills/implementing-patch-management-workflow/scripts/agent.py b/skills/implementing-patch-management-workflow/scripts/agent.py index e3996f85..2eec2152 100644 --- a/skills/implementing-patch-management-workflow/scripts/agent.py +++ b/skills/implementing-patch-management-workflow/scripts/agent.py @@ -1,61 +1,284 @@ #!/usr/bin/env python3 -"""Patch management workflow automation.""" -import argparse, json -from datetime import datetime, timezone +"""Patch management workflow agent. + +Audits system patch compliance by checking installed package versions +against known vulnerabilities, tracking patch SLA adherence, and +generating remediation reports. Supports Linux (apt/yum) and basic +CVE cross-referencing via the CISA KEV catalog. +""" +import argparse +import json +import os +import subprocess +import sys +from datetime import datetime, timezone, timedelta + try: import requests except ImportError: requests = None -def audit_config(target, token): + +def check_apt_updates(): + """Check for available security updates on Debian/Ubuntu systems.""" findings = [] - if not requests: return [{"error": "requests required"}] - headers = {"Authorization": f"Bearer {token}"} - try: - resp = requests.get(f"{target}/api/v1/status", headers=headers, timeout=10) - if resp.status_code == 200: - data = resp.json() - if not data.get("enabled", True): - findings.append({"check": "Service Status", "status": "DISABLED", "severity": "CRITICAL"}) - elif resp.status_code == 401: - findings.append({"check": "Authentication", "status": "UNAUTHORIZED", "severity": "HIGH"}) - except requests.RequestException as e: - findings.append({"error": str(e)}) + print("[*] Checking apt security updates...") + + # Update package lists + result = subprocess.run( + ["apt-get", "update", "-qq"], + capture_output=True, text=True, timeout=120, + ) + + # List upgradable packages + result = subprocess.run( + ["apt", "list", "--upgradable"], + capture_output=True, text=True, timeout=60, + ) + if result.returncode != 0: + return [{"check": "apt updates", "status": "ERROR", "severity": "HIGH", + "detail": result.stderr[:200]}] + + for line in result.stdout.strip().splitlines(): + if "Listing..." in line: + continue + parts = line.split("/") + if len(parts) >= 2: + pkg_name = parts[0] + is_security = "security" in line.lower() + version_info = line.split() + current = version_info[-1] if len(version_info) > 3 else "unknown" + available = version_info[1] if len(version_info) > 1 else "unknown" + findings.append({ + "package": pkg_name, + "current_version": current, + "available_version": available, + "is_security_update": is_security, + "severity": "CRITICAL" if is_security else "MEDIUM", + }) + + security_count = sum(1 for f in findings if f.get("is_security_update")) + print(f"[+] Found {len(findings)} updates ({security_count} security)") return findings -def check_compliance(target, token): + +def check_yum_updates(): + """Check for available security updates on RHEL/CentOS systems.""" findings = [] - if not requests: return [] - headers = {"Authorization": f"Bearer {token}"} - try: - resp = requests.get(f"{target}/api/v1/compliance", headers=headers, timeout=10) - if resp.status_code == 200: - for item in resp.json().get("checks", []): - if item.get("status") != "PASS": - findings.append({"check": item.get("name"), "status": item.get("status"), - "severity": item.get("severity", "MEDIUM")}) - except requests.RequestException: - pass + print("[*] Checking yum/dnf security updates...") + + for pkg_mgr in ["dnf", "yum"]: + result = subprocess.run( + [pkg_mgr, "check-update", "--security", "-q"], + capture_output=True, text=True, timeout=120, + ) + if result.returncode in (0, 100): + break + else: + return [{"check": "yum/dnf", "status": "ERROR", "severity": "HIGH", + "detail": "Neither yum nor dnf available"}] + + for line in result.stdout.strip().splitlines(): + parts = line.split() + if len(parts) >= 3: + findings.append({ + "package": parts[0], + "available_version": parts[1], + "repository": parts[2] if len(parts) > 2 else "", + "is_security_update": True, + "severity": "HIGH", + }) + + print(f"[+] Found {len(findings)} security updates") return findings + +def check_windows_updates(): + """Check for pending Windows updates via PowerShell.""" + findings = [] + print("[*] Checking Windows Update status...") + + ps_script = ( + "Get-HotFix | Sort-Object InstalledOn -Descending | " + "Select-Object -First 20 HotFixID, Description, InstalledOn | " + "ConvertTo-Json" + ) + result = subprocess.run( + ["powershell", "-Command", ps_script], + capture_output=True, text=True, timeout=120, + ) + if result.returncode == 0 and result.stdout.strip(): + try: + hotfixes = json.loads(result.stdout) + if isinstance(hotfixes, dict): + hotfixes = [hotfixes] + for hf in hotfixes: + findings.append({ + "hotfix_id": hf.get("HotFixID", ""), + "description": hf.get("Description", ""), + "installed_on": str(hf.get("InstalledOn", "")), + "status": "installed", + }) + if hotfixes: + latest = hotfixes[0] + installed_date = latest.get("InstalledOn", "") + print(f"[+] Latest patch: {latest.get('HotFixID', 'N/A')} ({installed_date})") + except json.JSONDecodeError: + pass + + return findings + + +def check_kev_exposure(package_cves): + """Cross-reference package CVEs against CISA KEV catalog.""" + if not requests: + return [] + + kev_url = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" + try: + resp = requests.get(kev_url, timeout=30) + resp.raise_for_status() + kev_data = resp.json() + kev_cves = {v["cveID"] for v in kev_data.get("vulnerabilities", [])} + except Exception: + return [] + + exposed = [] + for cve_id in package_cves: + if cve_id.upper() in kev_cves: + exposed.append({ + "cve_id": cve_id, + "in_kev": True, + "severity": "CRITICAL", + "description": "Actively exploited vulnerability (CISA KEV)", + }) + return exposed + + +def assess_patch_sla(findings, sla_days=None): + """Assess patch compliance against SLA targets.""" + if sla_days is None: + sla_days = {"CRITICAL": 7, "HIGH": 30, "MEDIUM": 90, "LOW": 180} + + sla_findings = [] + for f in findings: + severity = f.get("severity", "MEDIUM") + target_days = sla_days.get(severity, 90) + sla_findings.append({ + "package": f.get("package", f.get("hotfix_id", "unknown")), + "severity": severity, + "sla_target_days": target_days, + "in_sla": True, # Would need install date to determine + "recommendation": f"Patch within {target_days} days per SLA policy", + }) + return sla_findings + + +def format_summary(findings, kev_findings, sla_findings, platform): + """Print patch management summary.""" + print(f"\n{'='*60}") + print(f" Patch Management Audit Report") + print(f"{'='*60}") + print(f" Platform : {platform}") + print(f" Pending Updates : {len(findings)}") + + security = sum(1 for f in findings if f.get("is_security_update")) + print(f" Security Updates: {security}") + print(f" KEV Matches : {len(kev_findings)}") + + severity_counts = {} + for f in findings: + sev = f.get("severity", "MEDIUM") + severity_counts[sev] = severity_counts.get(sev, 0) + 1 + + print(f"\n By Severity:") + for sev in ["CRITICAL", "HIGH", "MEDIUM", "LOW"]: + count = severity_counts.get(sev, 0) + if count > 0: + print(f" {sev:10s}: {count}") + + if kev_findings: + print(f"\n CISA KEV Exposed CVEs (IMMEDIATE ACTION):") + for k in kev_findings: + print(f" {k['cve_id']}: {k['description']}") + + if findings: + print(f"\n Pending Updates:") + for f in findings[:20]: + pkg = f.get("package", f.get("hotfix_id", "unknown")) + sev = f.get("severity", "MEDIUM") + sec = " [SECURITY]" if f.get("is_security_update") else "" + print(f" [{sev:8s}] {pkg}{sec}") + + return severity_counts + + def main(): - p = argparse.ArgumentParser(description="Patch management workflow automation") - p.add_argument("--target", required=True, help="Target URL") - p.add_argument("--token", required=True, help="API token") - p.add_argument("--output", "-o", help="Output JSON report") - p.add_argument("--verbose", "-v", action="store_true") - a = p.parse_args() - print("[*] Patch management workflow automation") - report = {"timestamp": datetime.now(timezone.utc).isoformat(), "findings": []} - report["findings"].extend(audit_config(a.target, a.token)) - report["findings"].extend(check_compliance(a.target, a.token)) - high = sum(1 for f in report["findings"] if f.get("severity") in ("HIGH", "CRITICAL")) - report["risk_level"] = "HIGH" if high else "MEDIUM" if report["findings"] else "LOW" - print(f"[*] {len(report['findings'])} findings, risk: {report['risk_level']}") - if a.output: - with open(a.output, "w") as f: json.dump(report, f, indent=2) - else: + parser = argparse.ArgumentParser( + description="Patch management workflow audit agent" + ) + parser.add_argument("--platform", choices=["auto", "apt", "yum", "windows"], + default="auto", help="Package manager to check") + parser.add_argument("--cves", nargs="+", help="CVE IDs to check against KEV") + parser.add_argument("--sla-critical", type=int, default=7, help="SLA days for critical (default: 7)") + parser.add_argument("--sla-high", type=int, default=30, help="SLA days for high (default: 30)") + parser.add_argument("--output", "-o", help="Output JSON report path") + parser.add_argument("--verbose", "-v", action="store_true") + args = parser.parse_args() + + findings = [] + platform = args.platform + + if platform == "auto": + if sys.platform == "win32": + platform = "windows" + elif os.path.isfile("/usr/bin/apt"): + platform = "apt" + elif os.path.isfile("/usr/bin/yum") or os.path.isfile("/usr/bin/dnf"): + platform = "yum" + else: + print("[!] Could not detect package manager", file=sys.stderr) + sys.exit(1) + + if platform == "apt": + findings = check_apt_updates() + elif platform == "yum": + findings = check_yum_updates() + elif platform == "windows": + findings = check_windows_updates() + + kev_findings = [] + if args.cves: + kev_findings = check_kev_exposure(args.cves) + + sla_days = {"CRITICAL": args.sla_critical, "HIGH": args.sla_high, "MEDIUM": 90, "LOW": 180} + sla_findings = assess_patch_sla(findings, sla_days) + + severity_counts = format_summary(findings, kev_findings, sla_findings, platform) + + report = { + "timestamp": datetime.now(timezone.utc).isoformat(), + "tool": "Patch Management Audit", + "platform": platform, + "pending_updates": findings, + "kev_exposure": kev_findings, + "sla_assessment": sla_findings, + "severity_counts": severity_counts, + "risk_level": ( + "CRITICAL" if kev_findings or severity_counts.get("CRITICAL", 0) > 0 + else "HIGH" if severity_counts.get("HIGH", 0) > 0 + else "MEDIUM" if findings + else "LOW" + ), + } + + if args.output: + with open(args.output, "w") as f: + json.dump(report, f, indent=2) + print(f"\n[+] Report saved to {args.output}") + elif args.verbose: print(json.dumps(report, indent=2)) + if __name__ == "__main__": main() diff --git a/skills/implementing-pci-dss-compliance-controls/SKILL.md b/skills/implementing-pci-dss-compliance-controls/SKILL.md index df7258e9..8b97f951 100644 --- a/skills/implementing-pci-dss-compliance-controls/SKILL.md +++ b/skills/implementing-pci-dss-compliance-controls/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 ## Overview PCI DSS 4.0.1 establishes 12 requirements across 6 control objectives for organizations that store, process, or transmit cardholder data. With PCI DSS 3.2.1 retiring April 2024 and 51 new requirements becoming mandatory March 31, 2025, this skill covers implementing all requirements including the new customized validation approach, enhanced authentication, and continuous monitoring controls. + +## When to Use + +- When deploying or configuring implementing pci dss compliance controls capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Understanding of payment card processing flows and cardholder data environment (CDE) - Knowledge of network segmentation and security architecture diff --git a/skills/implementing-pci-dss-compliance-controls/scripts/agent.py b/skills/implementing-pci-dss-compliance-controls/scripts/agent.py index d4a1afb5..f3acffce 100644 --- a/skills/implementing-pci-dss-compliance-controls/scripts/agent.py +++ b/skills/implementing-pci-dss-compliance-controls/scripts/agent.py @@ -1,61 +1,324 @@ #!/usr/bin/env python3 -"""PCI DSS compliance control audit.""" -import argparse, json +"""PCI DSS compliance control audit agent. + +Audits systems and configurations against PCI DSS v4.0 requirements +including network segmentation, encryption, access controls, logging, +vulnerability management, and secure configuration checks. +""" +import argparse +import json +import os +import re +import socket +import ssl +import subprocess +import sys from datetime import datetime, timezone -try: - import requests -except ImportError: - requests = None -def audit_config(target, token): + +def check_tls_configuration(host, port=443): + """PCI DSS Req 4.2.1 - Strong cryptography for transmission.""" findings = [] - if not requests: return [{"error": "requests required"}] - headers = {"Authorization": f"Bearer {token}"} + print(f"[*] Req 4.2.1: Checking TLS on {host}:{port}") try: - resp = requests.get(f"{target}/api/v1/status", headers=headers, timeout=10) - if resp.status_code == 200: - data = resp.json() - if not data.get("enabled", True): - findings.append({"check": "Service Status", "status": "DISABLED", "severity": "CRITICAL"}) - elif resp.status_code == 401: - findings.append({"check": "Authentication", "status": "UNAUTHORIZED", "severity": "HIGH"}) - except requests.RequestException as e: - findings.append({"error": str(e)}) + context = ssl.create_default_context() + with socket.create_connection((host, port), timeout=10) as sock: + with context.wrap_socket(sock, server_hostname=host) as ssock: + protocol = ssock.version() + cipher = ssock.cipher() + if protocol in ("TLSv1.0", "TLSv1.1", "SSLv3", "SSLv2"): + findings.append({ + "requirement": "4.2.1", "check": "TLS Protocol Version", + "status": "FAIL", "severity": "CRITICAL", + "detail": f"Deprecated protocol: {protocol}", + }) + else: + findings.append({ + "requirement": "4.2.1", "check": "TLS Protocol Version", + "status": "PASS", "severity": "INFO", + "detail": f"Protocol: {protocol}", + }) + if cipher: + weak_ciphers = ["RC4", "DES", "3DES", "NULL", "EXPORT", "MD5"] + if any(w in cipher[0] for w in weak_ciphers): + findings.append({ + "requirement": "4.2.1", "check": "Cipher Strength", + "status": "FAIL", "severity": "HIGH", + "detail": f"Weak cipher: {cipher[0]}", + }) + else: + findings.append({ + "requirement": "4.2.1", "check": "Cipher Strength", + "status": "PASS", "severity": "INFO", + "detail": f"Cipher: {cipher[0]} ({cipher[2]} bits)", + }) + except Exception as e: + findings.append({ + "requirement": "4.2.1", "check": "TLS Connection", + "status": "ERROR", "severity": "HIGH", "detail": str(e)[:100], + }) return findings -def check_compliance(target, token): + +def check_password_policy(): + """PCI DSS Req 8.3.6 - Password complexity requirements.""" findings = [] - if not requests: return [] - headers = {"Authorization": f"Bearer {token}"} - try: - resp = requests.get(f"{target}/api/v1/compliance", headers=headers, timeout=10) - if resp.status_code == 200: - for item in resp.json().get("checks", []): - if item.get("status") != "PASS": - findings.append({"check": item.get("name"), "status": item.get("status"), - "severity": item.get("severity", "MEDIUM")}) - except requests.RequestException: - pass + print("[*] Req 8.3.6: Checking password policy") + + if sys.platform != "win32": + # Check PAM password quality + pam_files = ["/etc/pam.d/common-password", "/etc/pam.d/system-auth", + "/etc/security/pwquality.conf"] + for pam_file in pam_files: + if os.path.isfile(pam_file): + with open(pam_file, "r") as f: + content = f.read() + if "minlen" in content: + match = re.search(r'minlen\s*=\s*(\d+)', content) + if match and int(match.group(1)) >= 12: + findings.append({ + "requirement": "8.3.6", "check": "Min password length", + "status": "PASS", "severity": "INFO", + "detail": f"minlen={match.group(1)} in {pam_file}", + }) + else: + findings.append({ + "requirement": "8.3.6", "check": "Min password length", + "status": "FAIL", "severity": "HIGH", + "detail": f"Password minlen < 12 in {pam_file}", + }) + break + else: + findings.append({ + "requirement": "8.3.6", "check": "Password policy config", + "status": "WARN", "severity": "MEDIUM", + "detail": "Could not find PAM password config", + }) return findings + +def check_audit_logging(): + """PCI DSS Req 10.2 - Audit logging configuration.""" + findings = [] + print("[*] Req 10.2: Checking audit logging") + + if sys.platform != "win32": + # Check auditd + result = subprocess.run( + ["systemctl", "is-active", "auditd"], + capture_output=True, text=True, timeout=10, + ) + if result.stdout.strip() == "active": + findings.append({ + "requirement": "10.2", "check": "Audit daemon running", + "status": "PASS", "severity": "INFO", + }) + else: + findings.append({ + "requirement": "10.2", "check": "Audit daemon running", + "status": "FAIL", "severity": "CRITICAL", + "detail": "auditd is not running", + }) + + # Check syslog + for syslog in ["rsyslog", "syslog-ng"]: + result = subprocess.run( + ["systemctl", "is-active", syslog], + capture_output=True, text=True, timeout=10, + ) + if result.stdout.strip() == "active": + findings.append({ + "requirement": "10.2", "check": f"{syslog} running", + "status": "PASS", "severity": "INFO", + }) + break + return findings + + +def check_file_integrity(): + """PCI DSS Req 11.5.2 - File integrity monitoring.""" + findings = [] + print("[*] Req 11.5.2: Checking file integrity monitoring") + + fim_tools = { + "aide": ["/usr/bin/aide", "/usr/sbin/aide"], + "ossec": ["/var/ossec/bin/ossec-syscheckd"], + "tripwire": ["/usr/sbin/tripwire"], + "samhain": ["/usr/local/sbin/samhain"], + } + + found_fim = False + for tool_name, paths in fim_tools.items(): + for path in paths: + if os.path.isfile(path): + findings.append({ + "requirement": "11.5.2", "check": f"FIM tool: {tool_name}", + "status": "PASS", "severity": "INFO", + "detail": f"Found at {path}", + }) + found_fim = True + break + + if not found_fim: + findings.append({ + "requirement": "11.5.2", "check": "File integrity monitoring", + "status": "FAIL", "severity": "HIGH", + "detail": "No FIM tool detected (AIDE, OSSEC, Tripwire, Samhain)", + }) + + return findings + + +def check_default_credentials(): + """PCI DSS Req 2.2.2 - Change vendor defaults.""" + findings = [] + print("[*] Req 2.2.2: Checking for default credentials") + + # Check for common default accounts + if os.path.isfile("/etc/passwd"): + with open("/etc/passwd", "r") as f: + for line in f: + parts = line.strip().split(":") + if len(parts) >= 7: + username = parts[0] + shell = parts[6] + if username in ("guest", "test", "demo", "admin") and shell not in ("/usr/sbin/nologin", "/bin/false"): + findings.append({ + "requirement": "2.2.2", "check": f"Default account: {username}", + "status": "FAIL", "severity": "HIGH", + "detail": f"Account '{username}' has login shell: {shell}", + }) + + return findings + + +def check_network_segmentation(target_ip, ports=None): + """PCI DSS Req 1.3 - Network segmentation check.""" + findings = [] + if not ports: + ports = [22, 80, 443, 3306, 5432, 1433, 6379, 9200, 27017] + print(f"[*] Req 1.3: Checking network segmentation to {target_ip}") + + for port in ports: + try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.settimeout(3) + result = sock.connect_ex((target_ip, port)) + sock.close() + if result == 0: + findings.append({ + "requirement": "1.3", "check": f"Port {port} reachable", + "status": "WARN", "severity": "MEDIUM", + "detail": f"{target_ip}:{port} is open from this network segment", + }) + except Exception: + pass + + if not findings: + findings.append({ + "requirement": "1.3", "check": "Network segmentation", + "status": "PASS", "severity": "INFO", + "detail": f"No tested ports reachable on {target_ip}", + }) + + return findings + + +def format_summary(all_findings): + """Print PCI DSS audit summary.""" + print(f"\n{'='*60}") + print(f" PCI DSS v4.0 Compliance Audit Report") + print(f"{'='*60}") + + pass_count = sum(1 for f in all_findings if f["status"] == "PASS") + fail_count = sum(1 for f in all_findings if f["status"] == "FAIL") + warn_count = sum(1 for f in all_findings if f["status"] == "WARN") + + print(f" Total Checks : {len(all_findings)}") + print(f" Passed : {pass_count}") + print(f" Failed : {fail_count}") + print(f" Warnings : {warn_count}") + + by_req = {} + for f in all_findings: + req = f.get("requirement", "unknown") + by_req.setdefault(req, []).append(f) + + print(f"\n Results by Requirement:") + for req in sorted(by_req.keys()): + items = by_req[req] + failed = sum(1 for i in items if i["status"] == "FAIL") + passed = sum(1 for i in items if i["status"] == "PASS") + status = "FAIL" if failed > 0 else "PASS" + print(f" Req {req:8s}: [{status:4s}] {passed} passed, {failed} failed") + + if fail_count > 0: + print(f"\n Failed Checks:") + for f in all_findings: + if f["status"] == "FAIL": + print(f" [{f['severity']:8s}] Req {f['requirement']}: {f['check']} - {f.get('detail', '')}") + + severity_counts = {} + for f in all_findings: + if f["status"] == "FAIL": + sev = f.get("severity", "MEDIUM") + severity_counts[sev] = severity_counts.get(sev, 0) + 1 + return severity_counts + + def main(): - p = argparse.ArgumentParser(description="PCI DSS compliance control audit") - p.add_argument("--target", required=True, help="Target URL") - p.add_argument("--token", required=True, help="API token") - p.add_argument("--output", "-o", help="Output JSON report") - p.add_argument("--verbose", "-v", action="store_true") - a = p.parse_args() - print("[*] PCI DSS compliance control audit") - report = {"timestamp": datetime.now(timezone.utc).isoformat(), "findings": []} - report["findings"].extend(audit_config(a.target, a.token)) - report["findings"].extend(check_compliance(a.target, a.token)) - high = sum(1 for f in report["findings"] if f.get("severity") in ("HIGH", "CRITICAL")) - report["risk_level"] = "HIGH" if high else "MEDIUM" if report["findings"] else "LOW" - print(f"[*] {len(report['findings'])} findings, risk: {report['risk_level']}") - if a.output: - with open(a.output, "w") as f: json.dump(report, f, indent=2) - else: + parser = argparse.ArgumentParser(description="PCI DSS compliance control audit agent") + parser.add_argument("--tls-host", help="Host to check TLS configuration") + parser.add_argument("--tls-port", type=int, default=443) + parser.add_argument("--segment-target", help="IP to check network segmentation") + parser.add_argument("--skip-password", action="store_true") + parser.add_argument("--skip-logging", action="store_true") + parser.add_argument("--skip-fim", action="store_true") + parser.add_argument("--output", "-o", help="Output JSON report") + parser.add_argument("--verbose", "-v", action="store_true") + args = parser.parse_args() + + all_findings = [] + + if args.tls_host: + all_findings.extend(check_tls_configuration(args.tls_host, args.tls_port)) + if not args.skip_password: + all_findings.extend(check_password_policy()) + if not args.skip_logging: + all_findings.extend(check_audit_logging()) + if not args.skip_fim: + all_findings.extend(check_file_integrity()) + all_findings.extend(check_default_credentials()) + if args.segment_target: + all_findings.extend(check_network_segmentation(args.segment_target)) + + if not all_findings: + print("[!] No checks performed. Use --tls-host or other options.", file=sys.stderr) + sys.exit(1) + + severity_counts = format_summary(all_findings) + + report = { + "timestamp": datetime.now(timezone.utc).isoformat(), + "tool": "PCI DSS Audit", + "standard": "PCI DSS v4.0", + "findings": all_findings, + "severity_counts": severity_counts, + "risk_level": ( + "CRITICAL" if severity_counts.get("CRITICAL", 0) > 0 + else "HIGH" if severity_counts.get("HIGH", 0) > 0 + else "MEDIUM" if severity_counts.get("MEDIUM", 0) > 0 + else "LOW" + ), + } + + if args.output: + with open(args.output, "w") as f: + json.dump(report, f, indent=2) + print(f"\n[+] Report saved to {args.output}") + elif args.verbose: print(json.dumps(report, indent=2)) + if __name__ == "__main__": main() diff --git a/skills/implementing-privileged-access-workstation/SKILL.md b/skills/implementing-privileged-access-workstation/SKILL.md index 48f76bd4..761b9dab 100644 --- a/skills/implementing-privileged-access-workstation/SKILL.md +++ b/skills/implementing-privileged-access-workstation/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 A Privileged Access Workstation (PAW) is a hardened device dedicated to performing sensitive administrative tasks. This skill covers PAW design using the tiered administration model, device compliance enforcement via Microsoft Intune or Group Policy, just-in-time (JIT) access provisioning, and integration with privileged access management (PAM) platforms like CyberArk and BeyondTrust. + +## When to Use + +- When deploying or configuring implementing privileged access workstation capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Windows 10/11 Enterprise with Virtualization Based Security (VBS) diff --git a/skills/implementing-proofpoint-email-security-gateway/SKILL.md b/skills/implementing-proofpoint-email-security-gateway/SKILL.md index 5f6a9f6d..9418b67e 100644 --- a/skills/implementing-proofpoint-email-security-gateway/SKILL.md +++ b/skills/implementing-proofpoint-email-security-gateway/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview Proofpoint Email Protection is a cloud-native secure email gateway (SEG) that acts as a security checkpoint where all inbound and outbound mail traffic routes through the gateway before reaching user inboxes. It combines signature-based detection for known malware, machine learning algorithms for emerging threats, real-time threat intelligence feeds, URL rewriting with time-of-click sandboxing, and behavioral analysis for BEC detection. Proofpoint processes over 2.8 billion emails daily and blocks over 1 million extortion attempts per day. + +## When to Use + +- When deploying or configuring implementing proofpoint email security gateway capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Proofpoint Email Protection license (PPS on-premises or Proofpoint on Demand cloud) - Administrative access to DNS management for MX record changes diff --git a/skills/implementing-rapid7-insightvm-for-scanning/SKILL.md b/skills/implementing-rapid7-insightvm-for-scanning/SKILL.md index ebf89957..0cfc021f 100644 --- a/skills/implementing-rapid7-insightvm-for-scanning/SKILL.md +++ b/skills/implementing-rapid7-insightvm-for-scanning/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview Rapid7 InsightVM (formerly Nexpose) is an enterprise vulnerability management platform that combines on-premises scanning via Security Console and Scan Engines with cloud-based analytics through the Insight Platform. InsightVM leverages Rapid7's vulnerability research library, Metasploit exploit knowledge, global attacker behavior data, internet-wide scanning telemetry, and real-time reporting to provide comprehensive vulnerability visibility. This skill covers deploying the Security Console, configuring Scan Engines, setting up scan templates, credentialed scanning, and integrating with the Insight Agent for continuous assessment. + +## When to Use + +- When deploying or configuring implementing rapid7 insightvm for scanning capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Server meeting minimum requirements: 16 GB RAM, 4 CPU cores, 500 GB disk (Security Console) - Scan Engine: 8 GB RAM, 4 CPU cores, 100 GB disk diff --git a/skills/implementing-rbac-hardening-for-kubernetes/scripts/agent.py b/skills/implementing-rbac-hardening-for-kubernetes/scripts/agent.py index be8be348..0ac06ed8 100644 --- a/skills/implementing-rbac-hardening-for-kubernetes/scripts/agent.py +++ b/skills/implementing-rbac-hardening-for-kubernetes/scripts/agent.py @@ -1,61 +1,253 @@ #!/usr/bin/env python3 -"""Kubernetes RBAC hardening audit.""" -import argparse, json +"""Kubernetes RBAC hardening audit agent. + +Audits Kubernetes Role-Based Access Control configuration for security +weaknesses including overly permissive ClusterRoles, wildcard permissions, +privilege escalation paths, and service account misconfigurations. +""" +import argparse +import json +import os +import subprocess +import sys from datetime import datetime, timezone -try: - import requests -except ImportError: - requests = None -def audit_config(target, token): - findings = [] - if not requests: return [{"error": "requests required"}] - headers = {"Authorization": f"Bearer {token}"} + +def run_kubectl(args_list, timeout=60): + """Execute kubectl and return parsed JSON.""" + cmd = ["kubectl"] + args_list + ["-o", "json"] + result = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout) + if result.returncode != 0: + return None try: - resp = requests.get(f"{target}/api/v1/status", headers=headers, timeout=10) - if resp.status_code == 200: - data = resp.json() - if not data.get("enabled", True): - findings.append({"check": "Service Status", "status": "DISABLED", "severity": "CRITICAL"}) - elif resp.status_code == 401: - findings.append({"check": "Authentication", "status": "UNAUTHORIZED", "severity": "HIGH"}) - except requests.RequestException as e: - findings.append({"error": str(e)}) + return json.loads(result.stdout) + except json.JSONDecodeError: + return None + + +def audit_cluster_roles(): + """Audit ClusterRoles for dangerous permissions.""" + findings = [] + data = run_kubectl(["get", "clusterroles"]) + if not data: + return findings + + dangerous_verbs = {"*", "create", "update", "patch", "delete"} + dangerous_resources = {"secrets", "pods/exec", "clusterroles", "clusterrolebindings", + "roles", "rolebindings", "serviceaccounts", "nodes"} + escalation_resources = {"clusterroles", "clusterrolebindings", "roles", "rolebindings"} + + for role in data.get("items", []): + name = role.get("metadata", {}).get("name", "") + if name.startswith("system:"): + continue # Skip system roles + + for rule in role.get("rules", []): + verbs = set(rule.get("verbs", [])) + resources = set(rule.get("resources", [])) + api_groups = rule.get("apiGroups", []) + + # Wildcard everything + if "*" in verbs and "*" in resources: + findings.append({ + "type": "wildcard_all", "role": name, "kind": "ClusterRole", + "severity": "CRITICAL", + "detail": "Full wildcard access (verbs: *, resources: *)", + "recommendation": "Replace with specific verbs and resources", + }) + + # Secrets access + if resources & {"secrets", "*"} and verbs & {"get", "list", "watch", "*"}: + findings.append({ + "type": "secrets_access", "role": name, "kind": "ClusterRole", + "severity": "HIGH", + "detail": f"Can read secrets (verbs: {verbs & {'get', 'list', 'watch', '*'}})", + }) + + # Pod exec + if "pods/exec" in resources or ("pods" in resources and "create" in verbs): + findings.append({ + "type": "pod_exec", "role": name, "kind": "ClusterRole", + "severity": "HIGH", + "detail": "Can exec into pods (container escape risk)", + }) + + # Privilege escalation via RBAC modification + if resources & escalation_resources and verbs & {"create", "update", "patch", "*"}: + findings.append({ + "type": "rbac_escalation", "role": name, "kind": "ClusterRole", + "severity": "CRITICAL", + "detail": f"Can modify RBAC resources: {resources & escalation_resources}", + }) + + # Node access + if "nodes" in resources and verbs & {"get", "list", "proxy", "*"}: + findings.append({ + "type": "node_access", "role": name, "kind": "ClusterRole", + "severity": "MEDIUM", + "detail": "Can access node resources", + }) + return findings -def check_compliance(target, token): + +def audit_cluster_role_bindings(): + """Audit ClusterRoleBindings for overly broad subject assignments.""" findings = [] - if not requests: return [] - headers = {"Authorization": f"Bearer {token}"} - try: - resp = requests.get(f"{target}/api/v1/compliance", headers=headers, timeout=10) - if resp.status_code == 200: - for item in resp.json().get("checks", []): - if item.get("status") != "PASS": - findings.append({"check": item.get("name"), "status": item.get("status"), - "severity": item.get("severity", "MEDIUM")}) - except requests.RequestException: - pass + data = run_kubectl(["get", "clusterrolebindings"]) + if not data: + return findings + + for binding in data.get("items", []): + name = binding.get("metadata", {}).get("name", "") + if name.startswith("system:"): + continue + + role_ref = binding.get("roleRef", {}) + role_name = role_ref.get("name", "") + subjects = binding.get("subjects", []) + + for subject in subjects: + kind = subject.get("kind", "") + subj_name = subject.get("name", "") + namespace = subject.get("namespace", "") + + # Cluster-admin binding + if role_name == "cluster-admin": + findings.append({ + "type": "cluster_admin_binding", + "binding": name, "subject": f"{kind}/{subj_name}", + "severity": "CRITICAL", + "detail": f"cluster-admin bound to {kind} '{subj_name}'", + }) + + # Group bindings to all authenticated/unauthenticated + if kind == "Group" and subj_name in ("system:authenticated", "system:unauthenticated"): + findings.append({ + "type": "broad_group_binding", + "binding": name, "subject": subj_name, + "severity": "CRITICAL" if subj_name == "system:unauthenticated" else "HIGH", + "detail": f"Role '{role_name}' bound to group '{subj_name}'", + }) + + # Default service account bindings + if kind == "ServiceAccount" and subj_name == "default": + findings.append({ + "type": "default_sa_binding", + "binding": name, "subject": f"default SA in {namespace}", + "severity": "MEDIUM", + "detail": f"Role '{role_name}' bound to default service account", + }) + return findings + +def audit_service_accounts(namespace=None): + """Audit service accounts for misconfigurations.""" + findings = [] + cmd = ["get", "serviceaccounts", "--all-namespaces"] if not namespace else ["get", "serviceaccounts", "-n", namespace] + data = run_kubectl(cmd) + if not data: + return findings + + for sa in data.get("items", []): + name = sa.get("metadata", {}).get("name", "") + ns = sa.get("metadata", {}).get("namespace", "") + automount = sa.get("automountServiceAccountToken", None) + + if name == "default" and automount is not False: + findings.append({ + "type": "default_sa_automount", + "namespace": ns, "service_account": name, + "severity": "MEDIUM", + "detail": f"Default SA in '{ns}' has automountServiceAccountToken enabled", + "recommendation": "Set automountServiceAccountToken: false on default SA", + }) + + secrets = sa.get("secrets", []) + if len(secrets) > 1: + findings.append({ + "type": "sa_multiple_secrets", + "namespace": ns, "service_account": name, + "severity": "LOW", + "detail": f"SA has {len(secrets)} token secrets", + }) + + return findings + + +def format_summary(role_findings, binding_findings, sa_findings): + """Print RBAC audit summary.""" + all_findings = role_findings + binding_findings + sa_findings + print(f"\n{'='*60}") + print(f" Kubernetes RBAC Hardening Audit") + print(f"{'='*60}") + print(f" ClusterRole Issues : {len(role_findings)}") + print(f" Binding Issues : {len(binding_findings)}") + print(f" ServiceAccount Issues : {len(sa_findings)}") + print(f" Total Findings : {len(all_findings)}") + + severity_counts = {} + for f in all_findings: + sev = f.get("severity", "INFO") + severity_counts[sev] = severity_counts.get(sev, 0) + 1 + + print(f"\n By Severity:") + for sev in ["CRITICAL", "HIGH", "MEDIUM", "LOW"]: + count = severity_counts.get(sev, 0) + if count: + print(f" {sev:10s}: {count}") + + if all_findings: + print(f"\n Top Findings:") + for f in sorted(all_findings, key=lambda x: {"CRITICAL": 0, "HIGH": 1, "MEDIUM": 2}.get(x["severity"], 9))[:15]: + print(f" [{f['severity']:8s}] {f['type']:25s} | {f.get('detail', '')[:50]}") + + return severity_counts + + def main(): - p = argparse.ArgumentParser(description="Kubernetes RBAC hardening audit") - p.add_argument("--target", required=True, help="Target URL") - p.add_argument("--token", required=True, help="API token") - p.add_argument("--output", "-o", help="Output JSON report") - p.add_argument("--verbose", "-v", action="store_true") - a = p.parse_args() - print("[*] Kubernetes RBAC hardening audit") - report = {"timestamp": datetime.now(timezone.utc).isoformat(), "findings": []} - report["findings"].extend(audit_config(a.target, a.token)) - report["findings"].extend(check_compliance(a.target, a.token)) - high = sum(1 for f in report["findings"] if f.get("severity") in ("HIGH", "CRITICAL")) - report["risk_level"] = "HIGH" if high else "MEDIUM" if report["findings"] else "LOW" - print(f"[*] {len(report['findings'])} findings, risk: {report['risk_level']}") - if a.output: - with open(a.output, "w") as f: json.dump(report, f, indent=2) - else: + parser = argparse.ArgumentParser(description="Kubernetes RBAC hardening audit agent") + parser.add_argument("--namespace", "-n", help="Specific namespace to audit") + parser.add_argument("--kubeconfig", help="Path to kubeconfig") + parser.add_argument("--skip-roles", action="store_true") + parser.add_argument("--skip-bindings", action="store_true") + parser.add_argument("--skip-sa", action="store_true") + parser.add_argument("--output", "-o", help="Output JSON report") + parser.add_argument("--verbose", "-v", action="store_true") + args = parser.parse_args() + + if args.kubeconfig: + os.environ["KUBECONFIG"] = args.kubeconfig + + role_findings = [] if args.skip_roles else audit_cluster_roles() + binding_findings = [] if args.skip_bindings else audit_cluster_role_bindings() + sa_findings = [] if args.skip_sa else audit_service_accounts(args.namespace) + + severity_counts = format_summary(role_findings, binding_findings, sa_findings) + + report = { + "timestamp": datetime.now(timezone.utc).isoformat(), + "tool": "K8s RBAC Audit", + "role_findings": role_findings, + "binding_findings": binding_findings, + "sa_findings": sa_findings, + "severity_counts": severity_counts, + "risk_level": ( + "CRITICAL" if severity_counts.get("CRITICAL", 0) > 0 + else "HIGH" if severity_counts.get("HIGH", 0) > 0 + else "MEDIUM" if severity_counts.get("MEDIUM", 0) > 0 + else "LOW" + ), + } + + if args.output: + with open(args.output, "w") as f: + json.dump(report, f, indent=2) + print(f"\n[+] Report saved to {args.output}") + elif args.verbose: print(json.dumps(report, indent=2)) + if __name__ == "__main__": main() diff --git a/skills/implementing-runtime-application-self-protection/SKILL.md b/skills/implementing-runtime-application-self-protection/SKILL.md index 3d5ba036..320c546d 100644 --- a/skills/implementing-runtime-application-self-protection/SKILL.md +++ b/skills/implementing-runtime-application-self-protection/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Runtime Application Self-Protection (RASP) instruments application code at runtime to detect and block attacks by examining actual execution context rather than relying solely on network traffic patterns. Unlike WAFs that inspect HTTP requests externally, RASP agents intercept dangerous operations (SQL queries, file operations, command execution, deserialization) at the function level inside the application, achieving near-zero false positives. This skill covers deploying OpenRASP for Java applications, configuring detection policies for OWASP Top 10 attacks, tuning alerting thresholds, and integrating RASP telemetry with SIEM platforms. + +## When to Use + +- When deploying or configuring implementing runtime application self protection capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Java 8+ application server (Tomcat, Spring Boot, or JBoss) or Python Flask/Django application diff --git a/skills/implementing-scim-provisioning-with-okta/SKILL.md b/skills/implementing-scim-provisioning-with-okta/SKILL.md index be28deff..55b2b867 100644 --- a/skills/implementing-scim-provisioning-with-okta/SKILL.md +++ b/skills/implementing-scim-provisioning-with-okta/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 SCIM (System for Cross-domain Identity Management) is an open standard protocol (RFC 7644) that automates the exchange of user identity information between identity providers like Okta and service providers. This skill covers building a SCIM 2.0-compliant API endpoint and integrating it with Okta for automated user lifecycle management including provisioning, deprovisioning, profile updates, and group management. + +## When to Use + +- When deploying or configuring implementing scim provisioning with okta capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Okta tenant with admin access (Developer or Production) diff --git a/skills/implementing-secrets-scanning-in-ci-cd/SKILL.md b/skills/implementing-secrets-scanning-in-ci-cd/SKILL.md index 17ac6d5a..f95f1fb5 100644 --- a/skills/implementing-secrets-scanning-in-ci-cd/SKILL.md +++ b/skills/implementing-secrets-scanning-in-ci-cd/SKILL.md @@ -18,6 +18,14 @@ This skill covers implementing automated secrets scanning in CI/CD pipelines usi Gitleaks scans git repositories and directories for hardcoded secrets using regex patterns and entropy analysis. TruffleHog performs filesystem and git history scans with optional secret verification against live services. Together they provide comprehensive coverage for secrets detection. + +## When to Use + +- When deploying or configuring implementing secrets scanning in ci cd capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Python 3.9 or later diff --git a/skills/implementing-siem-use-case-tuning/SKILL.md b/skills/implementing-siem-use-case-tuning/SKILL.md index 0cabb43f..ba22eddf 100644 --- a/skills/implementing-siem-use-case-tuning/SKILL.md +++ b/skills/implementing-siem-use-case-tuning/SKILL.md @@ -22,6 +22,14 @@ license: Apache-2.0 SIEM use case tuning reduces alert fatigue by systematically analyzing detection rules for false positive rates, adjusting thresholds based on environmental baselines, creating context-aware whitelists, and measuring detection efficacy through precision/recall metrics. This skill covers tuning workflows for Splunk correlation searches and Elastic detection rules, including statistical baselining, exclusion list management, and alert-to-incident conversion tracking. + +## When to Use + +- When deploying or configuring implementing siem use case tuning capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Splunk Enterprise/Cloud with ES or Elastic SIEM with detection rules enabled diff --git a/skills/implementing-soar-playbook-for-phishing/SKILL.md b/skills/implementing-soar-playbook-for-phishing/SKILL.md index 7bbea4cb..f914f665 100644 --- a/skills/implementing-soar-playbook-for-phishing/SKILL.md +++ b/skills/implementing-soar-playbook-for-phishing/SKILL.md @@ -18,6 +18,14 @@ This skill implements a phishing incident response workflow using the Splunk SOA Splunk SOAR orchestrates and automates security operations through playbooks that chain together investigative and response actions. The REST API at `/rest/container`, `/rest/artifact`, and `/rest/playbook_run` enables programmatic incident creation and automation triggering from external tools, email gateways, and SIEM alerts. + +## When to Use + +- When deploying or configuring implementing soar playbook for phishing capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Python 3.9 or later with `requests` and `email` modules diff --git a/skills/implementing-stix-taxii-feed-integration/SKILL.md b/skills/implementing-stix-taxii-feed-integration/SKILL.md index a3254ea8..997347b5 100644 --- a/skills/implementing-stix-taxii-feed-integration/SKILL.md +++ b/skills/implementing-stix-taxii-feed-integration/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Intelligence Information) are OASIS open standards for representing and transporting cyber threat intelligence. This skill covers implementing a STIX/TAXII 2.1 feed consumer and producer using Python, configuring TAXII server discovery, collection management, polling for new intelligence, parsing STIX 2.1 objects, and integrating feeds into SIEM and TIP platforms. + +## When to Use + +- When deploying or configuring implementing stix taxii feed integration capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Python 3.9+ with `taxii2-client`, `stix2`, `cti-taxii-client` libraries diff --git a/skills/implementing-taxii-server-with-opentaxii/SKILL.md b/skills/implementing-taxii-server-with-opentaxii/SKILL.md index f6131433..7e167bf7 100644 --- a/skills/implementing-taxii-server-with-opentaxii/SKILL.md +++ b/skills/implementing-taxii-server-with-opentaxii/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 TAXII (Trusted Automated eXchange of Intelligence Information) is an OASIS standard protocol for exchanging cyber threat intelligence over HTTPS. OpenTAXII is an open-source TAXII server implementation by EclecticIQ that supports TAXII 1.x, while the OASIS cti-taxii-server provides a TAXII 2.1 reference implementation. This skill covers deploying a TAXII server, configuring collections for threat intelligence feeds, publishing STIX 2.1 bundles, and integrating with SIEM/SOAR platforms for automated indicator ingestion. + +## When to Use + +- When deploying or configuring implementing taxii server with opentaxii capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Python 3.9+ with `medallion`, `stix2`, `taxii2-client`, `opentaxii`, `cabby` libraries diff --git a/skills/implementing-threat-intelligence-lifecycle-management/SKILL.md b/skills/implementing-threat-intelligence-lifecycle-management/SKILL.md index 4953489d..1c9a5594 100644 --- a/skills/implementing-threat-intelligence-lifecycle-management/SKILL.md +++ b/skills/implementing-threat-intelligence-lifecycle-management/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 The threat intelligence lifecycle is a structured, iterative process for transforming raw data into actionable intelligence. Based on the intelligence cycle used by military and government agencies, it comprises six phases: Direction (requirements gathering), Collection (data acquisition), Processing (normalization and deduplication), Analysis (contextualization and assessment), Dissemination (distribution to stakeholders), and Feedback (evaluation and refinement). This skill covers building each phase with tooling, metrics, and integration points for a mature CTI program. + +## When to Use + +- When deploying or configuring implementing threat intelligence lifecycle management capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Python 3.9+ with `pymisp`, `stix2`, `requests`, `pandas` libraries diff --git a/skills/implementing-vulnerability-management-with-greenbone/SKILL.md b/skills/implementing-vulnerability-management-with-greenbone/SKILL.md index 024f916b..0aa10208 100644 --- a/skills/implementing-vulnerability-management-with-greenbone/SKILL.md +++ b/skills/implementing-vulnerability-management-with-greenbone/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Greenbone Vulnerability Management (GVM) is the open-source framework behind OpenVAS, providing comprehensive vulnerability scanning with over 100,000 Network Vulnerability Tests (NVTs). The python-gvm library provides a Python API to interact with GVM through the Greenbone Management Protocol (GMP), enabling programmatic creation of scan targets, task management, scan execution, and report retrieval. This skill covers connecting to GVM via Unix socket or TLS, authenticating, creating scan configs and targets, launching scans, and parsing XML-based vulnerability reports to produce actionable findings. + +## When to Use + +- When deploying or configuring implementing vulnerability management with greenbone capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Greenbone Community Edition or Greenbone Enterprise Appliance installed diff --git a/skills/implementing-vulnerability-remediation-sla/SKILL.md b/skills/implementing-vulnerability-remediation-sla/SKILL.md index bd87f6e8..1f0ed3b5 100644 --- a/skills/implementing-vulnerability-remediation-sla/SKILL.md +++ b/skills/implementing-vulnerability-remediation-sla/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview Vulnerability remediation SLAs define mandatory timeframes for patching or mitigating identified vulnerabilities based on severity, asset criticality, and exploit availability. Effective SLA programs drive accountability, ensure consistent remediation timelines, and provide measurable KPIs for vulnerability management maturity. + +## When to Use + +- When deploying or configuring implementing vulnerability remediation sla capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Vulnerability scanning program producing regular findings - Asset inventory with criticality classifications diff --git a/skills/implementing-vulnerability-sla-breach-alerting/SKILL.md b/skills/implementing-vulnerability-sla-breach-alerting/SKILL.md index 2ca3ac1e..9e52d94d 100644 --- a/skills/implementing-vulnerability-sla-breach-alerting/SKILL.md +++ b/skills/implementing-vulnerability-sla-breach-alerting/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Vulnerability remediation SLAs define maximum timeframes for addressing security findings based on severity. This skill covers building an automated alerting system that tracks remediation timelines, detects SLA breaches, sends escalation notifications, and generates compliance reports. Industry-standard SLA targets are: Critical (24-48 hours), High (15-30 days), Medium (60 days), Low (90 days). + +## When to Use + +- When deploying or configuring implementing vulnerability sla breach alerting capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Python 3.9+ with `requests`, `pandas`, `jinja2`, `smtplib` libraries diff --git a/skills/implementing-web-application-logging-with-modsecurity/SKILL.md b/skills/implementing-web-application-logging-with-modsecurity/SKILL.md index 31027c23..c2f9ffcb 100644 --- a/skills/implementing-web-application-logging-with-modsecurity/SKILL.md +++ b/skills/implementing-web-application-logging-with-modsecurity/SKILL.md @@ -23,6 +23,14 @@ Core Rule Set (CRS) provides generic attack detection rules covering SQL injecti RCE, LFI, and other OWASP Top 10 attacks. ModSecurity logs full request/response data in audit logs for forensic analysis and generates alerts that feed into SIEM platforms. + +## When to Use + +- When deploying or configuring implementing web application logging with modsecurity capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Web server (Apache 2.4+ or Nginx) with ModSecurity v3 module diff --git a/skills/implementing-zero-standing-privilege-with-cyberark/SKILL.md b/skills/implementing-zero-standing-privilege-with-cyberark/SKILL.md index bd8a6885..52efde98 100644 --- a/skills/implementing-zero-standing-privilege-with-cyberark/SKILL.md +++ b/skills/implementing-zero-standing-privilege-with-cyberark/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Zero Standing Privileges (ZSP) is a security model where no user or identity retains persistent privileged access. Instead, elevated access is provisioned dynamically on a just-in-time (JIT) basis and automatically revoked after use. CyberArk implements ZSP through its Secure Cloud Access (SCA) module, which creates ephemeral, scoped roles in cloud environments (AWS, Azure, GCP) that exist only for the duration of a session. The TEA framework -- Time, Entitlements, and Approvals -- governs every privileged access session. + +## When to Use + +- When deploying or configuring implementing zero standing privilege with cyberark capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - CyberArk Identity Security Platform (Privilege Cloud or self-hosted) diff --git a/skills/implementing-zero-trust-network-access-with-zscaler/SKILL.md b/skills/implementing-zero-trust-network-access-with-zscaler/SKILL.md index 72941373..1611a693 100644 --- a/skills/implementing-zero-trust-network-access-with-zscaler/SKILL.md +++ b/skills/implementing-zero-trust-network-access-with-zscaler/SKILL.md @@ -1,9 +1,9 @@ --- name: implementing-zero-trust-network-access-with-zscaler -description: Implementing Zero Trust Network Access With Zscaler +description: Implement Zero Trust Network Access using Zscaler Private Access (ZPA) to replace traditional VPN with identity-based, context-aware access to private applications through the Zscaler Zero Trust Exchange. domain: cybersecurity -subdomain: security-operations -tags: [cybersecurity] +subdomain: zero-trust-architecture +tags: [zero-trust, ztna, zscaler, network-access, vpn-replacement] version: "1.0" author: mahipal license: Apache-2.0 @@ -11,19 +11,12 @@ license: Apache-2.0 # Implementing Zero Trust Network Access with Zscaler ---- -domain: cybersecurity -subdomain: zero-trust-architecture -author: mahipal -tags: [zero-trust, ztna, zscaler, network-access, vpn-replacement] -difficulty: advanced -estimated_time: 4-6 hours -prerequisites: - - Understanding of zero trust principles (NIST SP 800-207) - - Familiarity with identity providers (Okta, Azure AD, Ping Identity) - - Knowledge of network security fundamentals - - Access to Zscaler Private Access (ZPA) tenant ---- +## Prerequisites + +- Understanding of zero trust principles (NIST SP 800-207) +- Familiarity with identity providers (Okta, Azure AD, Ping Identity) +- Knowledge of network security fundamentals +- Access to Zscaler Private Access (ZPA) tenant ## Overview diff --git a/skills/implementing-zero-trust-with-beyondcorp/SKILL.md b/skills/implementing-zero-trust-with-beyondcorp/SKILL.md index 06ec500d..53815532 100644 --- a/skills/implementing-zero-trust-with-beyondcorp/SKILL.md +++ b/skills/implementing-zero-trust-with-beyondcorp/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Google BeyondCorp Enterprise implements the zero trust security model by eliminating the concept of a trusted network perimeter. Instead of relying on VPNs and network location, BeyondCorp authenticates and authorizes every request based on user identity, device posture, and contextual attributes. Identity-Aware Proxy (IAP) serves as the enforcement point, intercepting all requests to protected resources and evaluating them against Access Context Manager policies. This skill covers configuring IAP for web applications, defining access levels based on device trust and network attributes, and auditing access policies for compliance. + +## When to Use + +- When deploying or configuring implementing zero trust with beyondcorp capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + ## Prerequisites - Google Cloud project with BeyondCorp Enterprise license diff --git a/skills/performing-access-recertification-with-saviynt/SKILL.md b/skills/performing-access-recertification-with-saviynt/SKILL.md index 8b0a26f4..7bff135f 100644 --- a/skills/performing-access-recertification-with-saviynt/SKILL.md +++ b/skills/performing-access-recertification-with-saviynt/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Access recertification (also called access certification or access review) is a periodic process where designated reviewers validate that users have appropriate access to systems and data. Saviynt Enterprise Identity Cloud (EIC) automates this process through certification campaigns that present reviewers with current access assignments and collect approve/revoke/conditionally-certify decisions. Campaigns can be triggered on schedule (quarterly, semi-annually), event-driven (department transfer, role change), or on-demand. Saviynt provides intelligence features including risk scoring, usage analytics, and peer-group analysis to help reviewers make informed decisions. + +## When to Use + +- When conducting security assessments that involve performing access recertification with saviynt +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + ## Prerequisites - Saviynt Enterprise Identity Cloud (EIC) tenant with admin access diff --git a/skills/performing-active-directory-forest-trust-attack/SKILL.md b/skills/performing-active-directory-forest-trust-attack/SKILL.md index ec536977..a5275e23 100644 --- a/skills/performing-active-directory-forest-trust-attack/SKILL.md +++ b/skills/performing-active-directory-forest-trust-attack/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Active Directory forest trusts enable authentication across organizational boundaries but introduce attack surface if misconfigured. This skill uses impacket to enumerate trust relationships, analyze SID filtering configuration, detect SID history abuse vectors, perform cross-forest SID lookups via LSA/LSAT RPC calls, and assess inter-realm Kerberos ticket configurations for trust ticket forgery risks. + +## When to Use + +- When conducting security assessments that involve performing active directory forest trust attack +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + ## Prerequisites - Python 3.9+ with `impacket`, `ldap3` diff --git a/skills/performing-adversary-in-the-middle-phishing-detection/SKILL.md b/skills/performing-adversary-in-the-middle-phishing-detection/SKILL.md index bbe522ac..89af8933 100644 --- a/skills/performing-adversary-in-the-middle-phishing-detection/SKILL.md +++ b/skills/performing-adversary-in-the-middle-phishing-detection/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview Adversary-in-the-Middle (AiTM) phishing attacks use reverse-proxy infrastructure to sit between the victim and the legitimate authentication service, intercepting both credentials and session cookies in real time. This allows attackers to bypass multi-factor authentication (MFA). The most prevalent PhaaS kits in 2025 include Tycoon 2FA, Sneaky 2FA, EvilProxy, and Evilginx. Over 1 million PhaaS attacks were detected in January-February 2025 alone. These attacks have evolved from QR codes to HTML attachments and SVG files for link distribution. + +## When to Use + +- When conducting security assessments that involve performing adversary in the middle phishing detection +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + ## Prerequisites - Azure AD / Entra ID Conditional Access policies - SIEM with authentication log ingestion (Azure AD sign-in logs) diff --git a/skills/performing-agentless-vulnerability-scanning/SKILL.md b/skills/performing-agentless-vulnerability-scanning/SKILL.md index fdf32b11..429d030c 100644 --- a/skills/performing-agentless-vulnerability-scanning/SKILL.md +++ b/skills/performing-agentless-vulnerability-scanning/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview Agentless vulnerability scanning assesses systems for security weaknesses without requiring endpoint agent installation. This approach leverages existing network protocols (SSH for Linux, WMI for Windows), cloud provider APIs for snapshot-based analysis, and authenticated remote checks. Modern cloud platforms like Microsoft Defender for Cloud, Wiz, Datadog, and Tenable perform out-of-band analysis by taking disk snapshots and examining OS configurations and installed packages offline. The open-source tool Vuls provides agentless scanning based on NVD and OVAL data for Linux/FreeBSD systems. This skill covers configuring agentless scans across on-premises, cloud, and containerized environments. + +## When to Use + +- When conducting security assessments that involve performing agentless vulnerability scanning +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + ## Prerequisites - SSH key-based authentication configured on Linux/Unix targets - WMI/WinRM access on Windows targets with appropriate credentials diff --git a/skills/performing-asset-criticality-scoring-for-vulns/SKILL.md b/skills/performing-asset-criticality-scoring-for-vulns/SKILL.md index 3c07133a..0bffdf0e 100644 --- a/skills/performing-asset-criticality-scoring-for-vulns/SKILL.md +++ b/skills/performing-asset-criticality-scoring-for-vulns/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview Asset criticality scoring assigns a business impact rating to each IT asset so that vulnerability remediation efforts focus on systems with the greatest organizational risk. Without criticality context, a CVSS 9.0 vulnerability on a test server receives the same urgency as the same vulnerability on a payment processing database. This skill covers building a multi-factor scoring model incorporating data sensitivity, business function dependency, regulatory scope, network exposure, and recoverability to create a 1-5 criticality tier that directly modifies vulnerability remediation SLAs. + +## When to Use + +- When conducting security assessments that involve performing asset criticality scoring for vulns +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + ## Prerequisites - Configuration Management Database (CMDB) or asset inventory - Business Impact Analysis (BIA) data diff --git a/skills/performing-authenticated-vulnerability-scan/SKILL.md b/skills/performing-authenticated-vulnerability-scan/SKILL.md index 87dab3e3..3e8f7dfd 100644 --- a/skills/performing-authenticated-vulnerability-scan/SKILL.md +++ b/skills/performing-authenticated-vulnerability-scan/SKILL.md @@ -13,6 +13,14 @@ license: Apache-2.0 ## Overview Authenticated (credentialed) vulnerability scanning uses valid system credentials to log into target hosts and perform deep inspection of installed software, patches, configurations, and security settings. Compared to unauthenticated scanning, credentialed scans detect 45-60% more vulnerabilities with significantly fewer false positives because they can directly query installed packages, registry keys, and file system contents. + +## When to Use + +- When conducting security assessments that involve performing authenticated vulnerability scan +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + ## Prerequisites - Vulnerability scanner (Nessus, Qualys, OpenVAS, Rapid7 InsightVM) - Service accounts with appropriate privileges on target systems diff --git a/skills/performing-automated-malware-analysis-with-cape/SKILL.md b/skills/performing-automated-malware-analysis-with-cape/SKILL.md index 6c9e9aa0..ef20b395 100644 --- a/skills/performing-automated-malware-analysis-with-cape/SKILL.md +++ b/skills/performing-automated-malware-analysis-with-cape/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 CAPE (Config And Payload Extraction) is an open-source malware sandbox derived from Cuckoo that automates behavioral analysis, payload dumping, and configuration extraction. CAPEv2 features API hooking for behavioral instrumentation, captures files created/modified/deleted during execution, records network traffic in PCAP format, and includes 70+ custom configuration extractors (cape-parsers) for families like Emotet, TrickBot, Cobalt Strike, AsyncRAT, and Rhadamanthys. The signature system includes 1000+ behavioral signatures detecting evasion techniques, persistence, credential theft, and ransomware behavior. CAPE's debugger enables dynamic anti-evasion bypasses combining debugger actions within YARA signatures. Recommended deployment: Ubuntu LTS host with Windows 10 21H2 guest VM. + +## When to Use + +- When conducting security assessments that involve performing automated malware analysis with cape +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + ## Prerequisites - Ubuntu 22.04 LTS server (8+ CPU cores, 32GB+ RAM, 500GB+ SSD) diff --git a/skills/performing-bluetooth-security-assessment/SKILL.md b/skills/performing-bluetooth-security-assessment/SKILL.md index 489142bd..46c102f5 100644 --- a/skills/performing-bluetooth-security-assessment/SKILL.md +++ b/skills/performing-bluetooth-security-assessment/SKILL.md @@ -18,6 +18,14 @@ This skill covers performing Bluetooth Low Energy (BLE) security assessments usi The agent uses bleak's asyncio API to discover nearby BLE devices, connect to target devices, enumerate all GATT services and characteristics, and analyze security properties of each characteristic. It flags characteristics that allow unauthenticated read/write access to sensitive data and identifies devices matching known vulnerable profiles. + +## When to Use + +- When conducting security assessments that involve performing bluetooth security assessment +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + ## Prerequisites - Python 3.9 or later diff --git a/skills/performing-brand-monitoring-for-impersonation/SKILL.md b/skills/performing-brand-monitoring-for-impersonation/SKILL.md index 1d2984ff..938278ca 100644 --- a/skills/performing-brand-monitoring-for-impersonation/SKILL.md +++ b/skills/performing-brand-monitoring-for-impersonation/SKILL.md @@ -14,6 +14,14 @@ license: Apache-2.0 Brand impersonation attacks exploit consumer trust through lookalike domains, fake social media profiles, counterfeit mobile apps, and phishing sites that mimic legitimate brands. In 2025, brand impersonation remained one of the most costly cyber threats, with AI-generated phishing emails achieving a 54% click-through rate. This skill covers building a comprehensive brand monitoring program that detects domain squatting, social media impersonation, fake mobile apps, unauthorized logo usage, and dark web brand mentions using automated scanning and alerting. + +## When to Use + +- When conducting security assessments that involve performing brand monitoring for impersonation +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + ## Prerequisites - Python 3.9+ with `dnstwist`, `requests`, `beautifulsoup4`, `Levenshtein`, `tweepy` libraries diff --git a/skills/performing-cloud-asset-inventory-with-cartography/scripts/agent.py b/skills/performing-cloud-asset-inventory-with-cartography/scripts/agent.py index cba16178..ffe1e6b4 100644 --- a/skills/performing-cloud-asset-inventory-with-cartography/scripts/agent.py +++ b/skills/performing-cloud-asset-inventory-with-cartography/scripts/agent.py @@ -1,60 +1,239 @@ #!/usr/bin/env python3 -"""Cartography cloud asset inventory agent.""" -import argparse, json +"""Cartography cloud asset inventory agent. + +Wraps the Cartography tool to enumerate and inventory cloud assets +across AWS accounts, then queries the resulting Neo4j graph database +to identify security-relevant relationships, exposed resources, and +misconfigured assets. +""" +import argparse +import json +import os +import subprocess +import sys from datetime import datetime, timezone + try: - import requests + from neo4j import GraphDatabase + HAS_NEO4J = True except ImportError: - requests = None + HAS_NEO4J = False -def run_scan(target, token=None): + +def run_cartography(profile=None, neo4j_uri="bolt://localhost:7687", + neo4j_user="neo4j", neo4j_password="neo4j"): + """Execute Cartography to populate the Neo4j graph.""" + cmd = [sys.executable, "-m", "cartography", + "--neo4j-uri", neo4j_uri, + "--neo4j-user", neo4j_user, + "--neo4j-password-env-var", "NEO4J_PASSWORD"] + if profile: + cmd.extend(["--aws-requested-syncs", "ec2,iam,s3,rds,lambda,ecs"]) + env = dict(os.environ) + env["NEO4J_PASSWORD"] = neo4j_password + print(f"[*] Running Cartography sync...") + result = subprocess.run(cmd, capture_output=True, text=True, timeout=900, env=env) + if result.returncode != 0: + print(f"[!] Cartography error: {result.stderr[:300]}", file=sys.stderr) + return result.returncode + + +def query_neo4j(driver, query, params=None): + """Execute a Cypher query against the Neo4j graph.""" + with driver.session() as session: + result = session.run(query, params or {}) + return [record.data() for record in result] + + +def inventory_ec2_instances(driver): + """Query EC2 instances from the graph.""" + query = """ + MATCH (i:EC2Instance) + OPTIONAL MATCH (i)-[:MEMBER_OF_EC2_SECURITY_GROUP]->(sg:EC2SecurityGroup) + RETURN i.id AS instance_id, i.instancetype AS type, + i.state AS state, i.publicipaddress AS public_ip, + i.privateipaddress AS private_ip, + i.launchtime AS launch_time, + collect(DISTINCT sg.groupid) AS security_groups + ORDER BY i.launchtime DESC + """ + return query_neo4j(driver, query) + + +def inventory_s3_buckets(driver): + """Query S3 buckets from the graph.""" + query = """ + MATCH (b:S3Bucket) + OPTIONAL MATCH (b)-[:RESOURCE]->(acl:S3Acl) + RETURN b.name AS bucket_name, b.region AS region, + b.anonymous_access AS anonymous_access, + b.default_encryption AS encryption, + b.versioning_status AS versioning + ORDER BY b.name + """ + return query_neo4j(driver, query) + + +def find_public_resources(driver): + """Find publicly accessible resources.""" findings = [] - if not requests: return [{"error": "requests required"}] - headers = {"Authorization": f"Bearer {token}"} if token else {} - try: - resp = requests.get(f"{target}", headers=headers, timeout=15) - if resp.status_code == 200: - findings.append({"check": "Target Accessible", "status": "OK", "severity": "INFO"}) - else: - findings.append({"check": "Target Access", "status": f"HTTP {resp.status_code}", "severity": "MEDIUM"}) - except requests.RequestException as e: - findings.append({"error": str(e)}) + # Public EC2 instances + query = """ + MATCH (i:EC2Instance) + WHERE i.publicipaddress IS NOT NULL AND i.state = 'running' + MATCH (i)-[:MEMBER_OF_EC2_SECURITY_GROUP]->(sg:EC2SecurityGroup) + -[:MEMBER_OF_EC2_SECURITY_GROUP]->(rule:IpRule) + WHERE rule.cidr_ip = '0.0.0.0/0' + RETURN DISTINCT i.id AS resource_id, 'EC2Instance' AS type, + i.publicipaddress AS public_ip, rule.fromport AS port + """ + for r in query_neo4j(driver, query): + findings.append({ + "type": "public_ec2", + "resource": r["resource_id"], + "severity": "HIGH", + "detail": f"Public IP {r.get('public_ip', 'N/A')} open on port {r.get('port', 'all')}", + }) + + # Public S3 buckets + query = """ + MATCH (b:S3Bucket) WHERE b.anonymous_access = true + RETURN b.name AS bucket_name + """ + for r in query_neo4j(driver, query): + findings.append({ + "type": "public_s3", + "resource": r["bucket_name"], + "severity": "CRITICAL", + "detail": "S3 bucket allows anonymous access", + }) + + # IAM users without MFA + query = """ + MATCH (u:AWSUser) WHERE u.mfa_active = false AND u.password_enabled = true + RETURN u.name AS username, u.arn AS arn + """ + for r in query_neo4j(driver, query): + findings.append({ + "type": "iam_no_mfa", + "resource": r["username"], + "severity": "HIGH", + "detail": f"IAM user {r['username']} has console access without MFA", + }) + return findings -def analyze_results(target, token=None): + +def find_unencrypted_resources(driver): + """Find unencrypted storage resources.""" findings = [] - if not requests: return [] - headers = {"Authorization": f"Bearer {token}"} if token else {} - try: - resp = requests.get(f"{target}/api/v1/results", headers=headers, timeout=15) - if resp.status_code == 200: - data = resp.json() - for item in data.get("findings", data.get("results", [])): - severity = item.get("severity", item.get("risk", "MEDIUM")) - findings.append({"check": item.get("name", item.get("title", "unknown")), - "severity": severity.upper() if isinstance(severity, str) else "MEDIUM"}) - except requests.RequestException: - pass + query = """ + MATCH (v:EBSVolume) WHERE v.encrypted = false + RETURN v.id AS volume_id, v.size AS size_gb, v.state AS state + """ + for r in query_neo4j(driver, query): + findings.append({ + "type": "unencrypted_ebs", + "resource": r["volume_id"], + "severity": "HIGH", + "detail": f"Unencrypted EBS volume ({r.get('size_gb', '?')} GB)", + }) + + query = """ + MATCH (b:S3Bucket) + WHERE b.default_encryption IS NULL OR b.default_encryption = false + RETURN b.name AS bucket_name + """ + for r in query_neo4j(driver, query): + findings.append({ + "type": "unencrypted_s3", + "resource": r["bucket_name"], + "severity": "MEDIUM", + "detail": "S3 bucket without default encryption", + }) + return findings + +def format_summary(ec2_instances, s3_buckets, security_findings): + """Print inventory summary.""" + print(f"\n{'='*60}") + print(f" Cartography Cloud Asset Inventory") + print(f"{'='*60}") + print(f" EC2 Instances : {len(ec2_instances)}") + print(f" S3 Buckets : {len(s3_buckets)}") + print(f" Security Findings: {len(security_findings)}") + + running = sum(1 for i in ec2_instances if i.get("state") == "running") + public = sum(1 for i in ec2_instances if i.get("public_ip")) + print(f"\n EC2: {running} running, {public} with public IP") + + if security_findings: + severity_counts = {} + for f in security_findings: + sev = f.get("severity", "INFO") + severity_counts[sev] = severity_counts.get(sev, 0) + 1 + print(f"\n Security Findings:") + for sev in ["CRITICAL", "HIGH", "MEDIUM"]: + count = severity_counts.get(sev, 0) + if count: + print(f" {sev:10s}: {count}") + for f in security_findings[:15]: + print(f" [{f['severity']:8s}] {f['type']:20s} | {f['resource']}: {f['detail'][:40]}") + + return {s: severity_counts.get(s, 0) for s in ["CRITICAL", "HIGH", "MEDIUM"]} if security_findings else {} + + def main(): - p = argparse.ArgumentParser(description="Cartography cloud asset inventory agent") - p.add_argument("--target", required=True, help="Target URL or IP") - p.add_argument("--token", help="API token") - p.add_argument("--output", "-o", help="Output JSON report") - p.add_argument("--verbose", "-v", action="store_true") - a = p.parse_args() - print("[*] Cartography cloud asset inventory agent") - report = {"timestamp": datetime.now(timezone.utc).isoformat(), "target": a.target, "findings": []} - report["findings"].extend(run_scan(a.target, a.token)) - report["findings"].extend(analyze_results(a.target, a.token)) - high = sum(1 for f in report["findings"] if f.get("severity") in ("HIGH", "CRITICAL")) - report["risk_level"] = "CRITICAL" if high > 2 else "HIGH" if high else "MEDIUM" if report["findings"] else "LOW" - print(f"[*] {len(report['findings'])} findings, risk: {report['risk_level']}") - if a.output: - with open(a.output, "w") as f: json.dump(report, f, indent=2) - else: - print(json.dumps(report, indent=2)) + parser = argparse.ArgumentParser(description="Cartography cloud asset inventory agent") + parser.add_argument("--neo4j-uri", default="bolt://localhost:7687") + parser.add_argument("--neo4j-user", default="neo4j") + parser.add_argument("--neo4j-password", default=os.environ.get("NEO4J_PASSWORD", "neo4j")) + parser.add_argument("--sync", action="store_true", help="Run Cartography sync before query") + parser.add_argument("--profile", help="AWS CLI profile for sync") + parser.add_argument("--output", "-o", help="Output JSON report") + parser.add_argument("--verbose", "-v", action="store_true") + args = parser.parse_args() + + if not HAS_NEO4J: + print("[!] neo4j driver required: pip install neo4j", file=sys.stderr) + sys.exit(1) + + if args.sync: + run_cartography(args.profile, args.neo4j_uri, args.neo4j_user, args.neo4j_password) + + driver = GraphDatabase.driver(args.neo4j_uri, auth=(args.neo4j_user, args.neo4j_password)) + + ec2_instances = inventory_ec2_instances(driver) + s3_buckets = inventory_s3_buckets(driver) + public_findings = find_public_resources(driver) + encryption_findings = find_unencrypted_resources(driver) + all_findings = public_findings + encryption_findings + + severity_counts = format_summary(ec2_instances, s3_buckets, all_findings) + driver.close() + + report = { + "timestamp": datetime.now(timezone.utc).isoformat(), + "tool": "Cartography", + "ec2_instances": ec2_instances, + "s3_buckets": s3_buckets, + "security_findings": all_findings, + "severity_counts": severity_counts, + "risk_level": ( + "CRITICAL" if severity_counts.get("CRITICAL", 0) > 0 + else "HIGH" if severity_counts.get("HIGH", 0) > 0 + else "MEDIUM" if all_findings else "LOW" + ), + } + + if args.output: + with open(args.output, "w") as f: + json.dump(report, f, indent=2, default=str) + print(f"\n[+] Report saved to {args.output}") + elif args.verbose: + print(json.dumps(report, indent=2, default=str)) + if __name__ == "__main__": main() diff --git a/skills/performing-cloud-incident-containment-procedures/scripts/agent.py b/skills/performing-cloud-incident-containment-procedures/scripts/agent.py index 39addd15..d9e85d74 100644 --- a/skills/performing-cloud-incident-containment-procedures/scripts/agent.py +++ b/skills/performing-cloud-incident-containment-procedures/scripts/agent.py @@ -1,60 +1,327 @@ #!/usr/bin/env python3 -"""Cloud incident containment agent.""" -import argparse, json +"""AWS cloud incident containment agent. + +Automates incident containment procedures in AWS environments including +EC2 instance isolation, IAM credential revocation, security group lockdown, +S3 bucket access restriction, and forensic snapshot creation using boto3. +""" +import argparse +import json +import os +import sys from datetime import datetime, timezone + try: - import requests + import boto3 + from botocore.exceptions import ClientError except ImportError: - requests = None + print("[!] 'boto3' library required: pip install boto3", file=sys.stderr) + sys.exit(1) -def run_scan(target, token=None): + +def get_session(profile=None, region=None): + """Create a boto3 session.""" + kwargs = {} + if profile: + kwargs["profile_name"] = profile + if region: + kwargs["region_name"] = region + return boto3.Session(**kwargs) + + +def isolate_ec2_instance(session, instance_id, vpc_id=None): + """Isolate an EC2 instance by replacing security groups with a deny-all SG.""" + ec2 = session.client("ec2") findings = [] - if not requests: return [{"error": "requests required"}] - headers = {"Authorization": f"Bearer {token}"} if token else {} + print(f"[*] Isolating EC2 instance: {instance_id}") + + # Get current instance details try: - resp = requests.get(f"{target}", headers=headers, timeout=15) - if resp.status_code == 200: - findings.append({"check": "Target Accessible", "status": "OK", "severity": "INFO"}) + resp = ec2.describe_instances(InstanceIds=[instance_id]) + instance = resp["Reservations"][0]["Instances"][0] + current_sgs = [sg["GroupId"] for sg in instance.get("SecurityGroups", [])] + instance_vpc = instance.get("VpcId", vpc_id) + findings.append({"action": "describe_instance", "status": "OK", + "detail": f"Current SGs: {current_sgs}"}) + except ClientError as e: + findings.append({"action": "describe_instance", "status": "FAIL", + "severity": "CRITICAL", "detail": str(e)}) + return findings + + # Create or find isolation security group + isolation_sg_name = f"incident-isolation-{instance_id[:8]}" + isolation_sg_id = None + try: + existing = ec2.describe_security_groups( + Filters=[{"Name": "group-name", "Values": [isolation_sg_name]}, + {"Name": "vpc-id", "Values": [instance_vpc]}] + ) + if existing["SecurityGroups"]: + isolation_sg_id = existing["SecurityGroups"][0]["GroupId"] else: - findings.append({"check": "Target Access", "status": f"HTTP {resp.status_code}", "severity": "MEDIUM"}) - except requests.RequestException as e: - findings.append({"error": str(e)}) + resp = ec2.create_security_group( + GroupName=isolation_sg_name, + Description=f"Incident isolation SG for {instance_id}", + VpcId=instance_vpc, + ) + isolation_sg_id = resp["GroupId"] + # Revoke default egress rule + ec2.revoke_security_group_egress( + GroupId=isolation_sg_id, + IpPermissions=[{"IpProtocol": "-1", "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}], + ) + findings.append({"action": "create_isolation_sg", "status": "OK", + "detail": f"SG: {isolation_sg_id} (no ingress, no egress)"}) + except ClientError as e: + findings.append({"action": "create_isolation_sg", "status": "FAIL", + "severity": "HIGH", "detail": str(e)}) + return findings + + # Replace security groups with isolation SG + try: + ec2.modify_instance_attribute( + InstanceId=instance_id, + Groups=[isolation_sg_id], + ) + findings.append({"action": "apply_isolation_sg", "status": "OK", + "detail": f"Replaced {current_sgs} with [{isolation_sg_id}]"}) + except ClientError as e: + findings.append({"action": "apply_isolation_sg", "status": "FAIL", + "severity": "CRITICAL", "detail": str(e)}) + + # Tag instance as contained + try: + ec2.create_tags( + Resources=[instance_id], + Tags=[ + {"Key": "IncidentStatus", "Value": "CONTAINED"}, + {"Key": "ContainmentTime", "Value": datetime.now(timezone.utc).isoformat()}, + {"Key": "OriginalSecurityGroups", "Value": ",".join(current_sgs)}, + ], + ) + findings.append({"action": "tag_instance", "status": "OK"}) + except ClientError as e: + findings.append({"action": "tag_instance", "status": "FAIL", "detail": str(e)}) + return findings -def analyze_results(target, token=None): + +def create_forensic_snapshot(session, instance_id): + """Create EBS snapshots for forensic preservation.""" + ec2 = session.client("ec2") findings = [] - if not requests: return [] - headers = {"Authorization": f"Bearer {token}"} if token else {} + print(f"[*] Creating forensic snapshots for: {instance_id}") + try: - resp = requests.get(f"{target}/api/v1/results", headers=headers, timeout=15) - if resp.status_code == 200: - data = resp.json() - for item in data.get("findings", data.get("results", [])): - severity = item.get("severity", item.get("risk", "MEDIUM")) - findings.append({"check": item.get("name", item.get("title", "unknown")), - "severity": severity.upper() if isinstance(severity, str) else "MEDIUM"}) - except requests.RequestException: - pass + resp = ec2.describe_instances(InstanceIds=[instance_id]) + instance = resp["Reservations"][0]["Instances"][0] + volumes = [] + for mapping in instance.get("BlockDeviceMappings", []): + vol_id = mapping.get("Ebs", {}).get("VolumeId") + if vol_id: + volumes.append((mapping["DeviceName"], vol_id)) + except ClientError as e: + findings.append({"action": "describe_volumes", "status": "FAIL", "detail": str(e)}) + return findings + + for device_name, vol_id in volumes: + try: + snap = ec2.create_snapshot( + VolumeId=vol_id, + Description=f"Forensic snapshot - {instance_id} {device_name} - " + f"{datetime.now(timezone.utc).isoformat()}", + TagSpecifications=[{ + "ResourceType": "snapshot", + "Tags": [ + {"Key": "Purpose", "Value": "Forensic-Preservation"}, + {"Key": "SourceInstance", "Value": instance_id}, + {"Key": "SourceVolume", "Value": vol_id}, + {"Key": "CreatedBy", "Value": "incident-containment-agent"}, + ], + }], + ) + findings.append({ + "action": "create_snapshot", + "status": "OK", + "detail": f"{vol_id} ({device_name}) -> {snap['SnapshotId']}", + }) + except ClientError as e: + findings.append({"action": "create_snapshot", "status": "FAIL", + "detail": f"{vol_id}: {e}"}) + return findings + +def revoke_iam_credentials(session, username): + """Revoke all IAM credentials for a compromised user.""" + iam = session.client("iam") + findings = [] + print(f"[*] Revoking credentials for IAM user: {username}") + + # Deactivate access keys + try: + keys = iam.list_access_keys(UserName=username) + for key in keys.get("AccessKeyMetadata", []): + key_id = key["AccessKeyId"] + iam.update_access_key( + UserName=username, AccessKeyId=key_id, Status="Inactive" + ) + findings.append({"action": "deactivate_access_key", "status": "OK", + "detail": f"Key {key_id[:8]}... deactivated"}) + except ClientError as e: + findings.append({"action": "deactivate_access_keys", "status": "FAIL", "detail": str(e)}) + + # Invalidate console session by attaching deny-all inline policy + deny_policy = json.dumps({ + "Version": "2012-10-17", + "Statement": [{"Effect": "Deny", "Action": "*", "Resource": "*"}], + }) + try: + iam.put_user_policy( + UserName=username, + PolicyName="IncidentDenyAll", + PolicyDocument=deny_policy, + ) + findings.append({"action": "attach_deny_policy", "status": "OK", + "detail": "Deny-all policy attached"}) + except ClientError as e: + findings.append({"action": "attach_deny_policy", "status": "FAIL", "detail": str(e)}) + + # Delete login profile (console access) + try: + iam.delete_login_profile(UserName=username) + findings.append({"action": "delete_console_access", "status": "OK"}) + except iam.exceptions.NoSuchEntityException: + findings.append({"action": "delete_console_access", "status": "SKIP", + "detail": "No console access configured"}) + except ClientError as e: + findings.append({"action": "delete_console_access", "status": "FAIL", "detail": str(e)}) + + return findings + + +def restrict_s3_bucket(session, bucket_name): + """Restrict S3 bucket access during incident containment.""" + s3 = session.client("s3") + findings = [] + print(f"[*] Restricting S3 bucket: {bucket_name}") + + # Block public access + try: + s3.put_public_access_block( + Bucket=bucket_name, + PublicAccessBlockConfiguration={ + "BlockPublicAcls": True, + "IgnorePublicAcls": True, + "BlockPublicPolicy": True, + "RestrictPublicBuckets": True, + }, + ) + findings.append({"action": "block_public_access", "status": "OK"}) + except ClientError as e: + findings.append({"action": "block_public_access", "status": "FAIL", "detail": str(e)}) + + # Enable versioning (preserve evidence) + try: + s3.put_bucket_versioning( + Bucket=bucket_name, + VersioningConfiguration={"Status": "Enabled"}, + ) + findings.append({"action": "enable_versioning", "status": "OK"}) + except ClientError as e: + findings.append({"action": "enable_versioning", "status": "FAIL", "detail": str(e)}) + + return findings + + +def format_summary(all_actions): + """Print containment summary.""" + print(f"\n{'='*60}") + print(f" Cloud Incident Containment Report") + print(f"{'='*60}") + + success = sum(1 for a in all_actions if a.get("status") == "OK") + failed = sum(1 for a in all_actions if a.get("status") == "FAIL") + print(f" Actions : {len(all_actions)}") + print(f" Success : {success}") + print(f" Failed : {failed}") + + print(f"\n Actions Taken:") + for a in all_actions: + icon = "OK" if a["status"] == "OK" else "!!" if a["status"] == "FAIL" else "--" + print(f" [{icon}] {a['action']:30s} {a.get('detail', '')[:50]}") + + def main(): - p = argparse.ArgumentParser(description="Cloud incident containment agent") - p.add_argument("--target", required=True, help="Target URL or IP") - p.add_argument("--token", help="API token") - p.add_argument("--output", "-o", help="Output JSON report") - p.add_argument("--verbose", "-v", action="store_true") - a = p.parse_args() - print("[*] Cloud incident containment agent") - report = {"timestamp": datetime.now(timezone.utc).isoformat(), "target": a.target, "findings": []} - report["findings"].extend(run_scan(a.target, a.token)) - report["findings"].extend(analyze_results(a.target, a.token)) - high = sum(1 for f in report["findings"] if f.get("severity") in ("HIGH", "CRITICAL")) - report["risk_level"] = "CRITICAL" if high > 2 else "HIGH" if high else "MEDIUM" if report["findings"] else "LOW" - print(f"[*] {len(report['findings'])} findings, risk: {report['risk_level']}") - if a.output: - with open(a.output, "w") as f: json.dump(report, f, indent=2) - else: + parser = argparse.ArgumentParser( + description="AWS cloud incident containment agent" + ) + sub = parser.add_subparsers(dest="command") + + p_iso = sub.add_parser("isolate", help="Isolate EC2 instance") + p_iso.add_argument("--instance-id", required=True) + + p_snap = sub.add_parser("snapshot", help="Create forensic snapshots") + p_snap.add_argument("--instance-id", required=True) + + p_iam = sub.add_parser("revoke-iam", help="Revoke IAM user credentials") + p_iam.add_argument("--username", required=True) + + p_s3 = sub.add_parser("restrict-s3", help="Restrict S3 bucket") + p_s3.add_argument("--bucket", required=True) + + p_full = sub.add_parser("full-contain", help="Full containment: isolate + snapshot + IAM") + p_full.add_argument("--instance-id", required=True) + p_full.add_argument("--username", help="IAM user to revoke") + p_full.add_argument("--bucket", help="S3 bucket to restrict") + + parser.add_argument("--profile", help="AWS CLI profile") + parser.add_argument("--region", help="AWS region") + parser.add_argument("--output", "-o", help="Output JSON report path") + parser.add_argument("--verbose", "-v", action="store_true") + args = parser.parse_args() + + if not args.command: + parser.print_help() + sys.exit(1) + + session = get_session(args.profile, args.region) + all_actions = [] + + if args.command == "isolate": + all_actions.extend(isolate_ec2_instance(session, args.instance_id)) + elif args.command == "snapshot": + all_actions.extend(create_forensic_snapshot(session, args.instance_id)) + elif args.command == "revoke-iam": + all_actions.extend(revoke_iam_credentials(session, args.username)) + elif args.command == "restrict-s3": + all_actions.extend(restrict_s3_bucket(session, args.bucket)) + elif args.command == "full-contain": + all_actions.extend(isolate_ec2_instance(session, args.instance_id)) + all_actions.extend(create_forensic_snapshot(session, args.instance_id)) + if args.username: + all_actions.extend(revoke_iam_credentials(session, args.username)) + if args.bucket: + all_actions.extend(restrict_s3_bucket(session, args.bucket)) + + format_summary(all_actions) + + report = { + "timestamp": datetime.now(timezone.utc).isoformat(), + "tool": "AWS Incident Containment", + "command": args.command, + "actions": all_actions, + "success_count": sum(1 for a in all_actions if a["status"] == "OK"), + "fail_count": sum(1 for a in all_actions if a["status"] == "FAIL"), + } + + if args.output: + with open(args.output, "w") as f: + json.dump(report, f, indent=2) + print(f"\n[+] Report saved to {args.output}") + elif args.verbose: print(json.dumps(report, indent=2)) + if __name__ == "__main__": main() diff --git a/skills/performing-cloud-storage-forensic-acquisition/references/api-reference.md b/skills/performing-cloud-storage-forensic-acquisition/references/api-reference.md index 5520c611..473c8744 100644 --- a/skills/performing-cloud-storage-forensic-acquisition/references/api-reference.md +++ b/skills/performing-cloud-storage-forensic-acquisition/references/api-reference.md @@ -1,27 +1,197 @@ -# API Reference: Cloud storage forensic acquisition agent +# API Reference: Cloud Storage Forensic Acquisition -## API Details -S3: list_objects_v2, get_object, get_bucket_versioning; GCS: list_blobs, download_blob +## Libraries Used + +| Library | Purpose | +|---------|---------| +| `boto3` | AWS S3 object listing, download, and versioning | +| `json` | Parse object metadata and access logs | +| `hashlib` | Generate SHA-256 hashes for evidence integrity | +| `datetime` | Filter objects by time range for incident scope | ## Installation + ```bash pip install boto3 ``` -## Libraries - -| Library | Use | -|---------|-----| -| `boto3` | boto3 | - ## Authentication -| Method | Header | -|--------|--------| -| Bearer Token | `Authorization: Bearer ` | -| API Key | `X-API-Key: ` | +```python +import boto3 +import os + +session = boto3.Session( + aws_access_key_id=os.environ.get("AWS_ACCESS_KEY_ID"), + aws_secret_access_key=os.environ.get("AWS_SECRET_ACCESS_KEY"), + region_name=os.environ.get("AWS_REGION", "us-east-1"), +) + +s3 = session.client("s3") +``` + +## AWS S3 Forensic Operations + +### List All Object Versions (Including Deleted) +```python +def list_all_versions(bucket, prefix=""): + """List all object versions including delete markers for forensic timeline.""" + paginator = s3.get_paginator("list_object_versions") + versions = [] + for page in paginator.paginate(Bucket=bucket, Prefix=prefix): + for v in page.get("Versions", []): + versions.append({ + "key": v["Key"], + "version_id": v["VersionId"], + "last_modified": v["LastModified"].isoformat(), + "size": v["Size"], + "is_latest": v["IsLatest"], + "etag": v["ETag"], + }) + for dm in page.get("DeleteMarkers", []): + versions.append({ + "key": dm["Key"], + "version_id": dm["VersionId"], + "last_modified": dm["LastModified"].isoformat(), + "is_delete_marker": True, + "is_latest": dm["IsLatest"], + }) + return sorted(versions, key=lambda v: v["last_modified"]) +``` + +### Download Object with Integrity Verification +```python +import hashlib + +def forensic_download(bucket, key, output_path, version_id=None): + """Download an S3 object and compute SHA-256 hash for chain of custody.""" + params = {"Bucket": bucket, "Key": key} + if version_id: + params["VersionId"] = version_id + + resp = s3.get_object(**params) + sha256 = hashlib.sha256() + + with open(output_path, "wb") as f: + for chunk in resp["Body"].iter_chunks(chunk_size=8192): + f.write(chunk) + sha256.update(chunk) + + return { + "key": key, + "version_id": version_id, + "output_path": output_path, + "sha256": sha256.hexdigest(), + "content_type": resp.get("ContentType"), + "last_modified": resp["LastModified"].isoformat(), + "metadata": resp.get("Metadata", {}), + } +``` + +### Recover Deleted Objects +```python +def recover_deleted_objects(bucket, prefix=""): + """Find and restore objects with delete markers.""" + recovered = [] + paginator = s3.get_paginator("list_object_versions") + for page in paginator.paginate(Bucket=bucket, Prefix=prefix): + for dm in page.get("DeleteMarkers", []): + if dm["IsLatest"]: + # Remove delete marker to restore the object + s3.delete_object( + Bucket=bucket, + Key=dm["Key"], + VersionId=dm["VersionId"], + ) + recovered.append({ + "key": dm["Key"], + "delete_marker_removed": dm["VersionId"], + }) + return recovered +``` + +### Get S3 Access Logs for Incident Timeline +```python +def get_access_logs(log_bucket, prefix, start_time, end_time): + """Parse S3 access logs to build forensic timeline.""" + paginator = s3.get_paginator("list_objects_v2") + log_entries = [] + for page in paginator.paginate(Bucket=log_bucket, Prefix=prefix): + for obj in page.get("Contents", []): + if start_time <= obj["LastModified"].isoformat() <= end_time: + resp = s3.get_object(Bucket=log_bucket, Key=obj["Key"]) + content = resp["Body"].read().decode("utf-8") + for line in content.strip().split("\n"): + log_entries.append(line) + return log_entries +``` + +### Acquire Bucket Metadata +```python +def acquire_bucket_metadata(bucket): + """Collect all bucket configuration for forensic evidence.""" + metadata = {"bucket": bucket} + + metadata["versioning"] = s3.get_bucket_versioning(Bucket=bucket) + metadata["encryption"] = s3.get_bucket_encryption(Bucket=bucket).get( + "ServerSideEncryptionConfiguration", {} + ) + try: + metadata["logging"] = s3.get_bucket_logging(Bucket=bucket).get("LoggingEnabled", {}) + except Exception: + metadata["logging"] = None + try: + metadata["lifecycle"] = s3.get_bucket_lifecycle_configuration(Bucket=bucket).get("Rules", []) + except Exception: + metadata["lifecycle"] = [] + try: + metadata["policy"] = json.loads(s3.get_bucket_policy(Bucket=bucket)["Policy"]) + except Exception: + metadata["policy"] = None + + return metadata +``` + +## Evidence Chain of Custody + +```python +import json +from datetime import datetime, timezone + +def create_chain_of_custody(evidence_items): + """Generate a chain-of-custody record for acquired evidence.""" + record = { + "acquisition_time": datetime.now(timezone.utc).isoformat(), + "examiner": os.environ.get("EXAMINER_NAME", "automated"), + "case_id": os.environ.get("CASE_ID", "unknown"), + "items": [], + } + for item in evidence_items: + record["items"].append({ + "source": f"s3://{item['bucket']}/{item['key']}", + "local_path": item["output_path"], + "sha256": item["sha256"], + "acquired_at": datetime.now(timezone.utc).isoformat(), + }) + return record +``` ## Output Format + ```json -{"timestamp": "ISO-8601", "target": "URL", "findings": [], "risk_level": "HIGH"} +{ + "bucket": "incident-bucket", + "acquisition_time": "2025-01-15T10:30:00Z", + "total_objects": 1542, + "total_versions": 3891, + "deleted_objects_recovered": 23, + "evidence_items": [ + { + "key": "sensitive/data.csv", + "version_id": "abc123", + "sha256": "a1b2c3d4e5f6...", + "last_modified": "2025-01-14T08:00:00Z" + } + ] +} ``` diff --git a/skills/performing-cloud-storage-forensic-acquisition/scripts/agent.py b/skills/performing-cloud-storage-forensic-acquisition/scripts/agent.py index 4459b35a..75c4d232 100644 --- a/skills/performing-cloud-storage-forensic-acquisition/scripts/agent.py +++ b/skills/performing-cloud-storage-forensic-acquisition/scripts/agent.py @@ -1,60 +1,300 @@ #!/usr/bin/env python3 -"""Cloud storage forensic acquisition agent.""" -import argparse, json +"""Cloud storage forensic acquisition agent. + +Acquires forensic copies of cloud storage objects from AWS S3, Azure Blob +Storage, and GCP Cloud Storage with integrity verification using SHA-256 +hashes, metadata preservation, and chain-of-custody logging. +""" +import argparse +import hashlib +import json +import os +import sys from datetime import datetime, timezone + try: - import requests + import boto3 + from botocore.exceptions import ClientError + HAS_BOTO3 = True except ImportError: - requests = None + HAS_BOTO3 = False + + +def acquire_s3_objects(bucket, prefix="", output_dir=".", profile=None, region=None): + """Acquire S3 objects with forensic integrity verification.""" + if not HAS_BOTO3: + print("[!] boto3 required: pip install boto3", file=sys.stderr) + sys.exit(1) + + kwargs = {} + if profile: + kwargs["profile_name"] = profile + if region: + kwargs["region_name"] = region + session = boto3.Session(**kwargs) + s3 = session.client("s3") + + print(f"[*] Acquiring objects from s3://{bucket}/{prefix}") + evidence_log = [] + + # List objects + paginator = s3.get_paginator("list_objects_v2") + pages = paginator.paginate(Bucket=bucket, Prefix=prefix) + + total_objects = 0 + total_bytes = 0 + + for page in pages: + for obj in page.get("Contents", []): + key = obj["Key"] + size = obj["Size"] + if key.endswith("/"): + continue + + total_objects += 1 + local_path = os.path.join(output_dir, key.replace("/", os.sep)) + os.makedirs(os.path.dirname(local_path), exist_ok=True) + + # Get object metadata + try: + head = s3.head_object(Bucket=bucket, Key=key) + metadata = { + "content_type": head.get("ContentType", ""), + "last_modified": head.get("LastModified", "").isoformat() + if hasattr(head.get("LastModified", ""), "isoformat") + else str(head.get("LastModified", "")), + "etag": head.get("ETag", "").strip('"'), + "version_id": head.get("VersionId", ""), + "server_side_encryption": head.get("ServerSideEncryption", ""), + "storage_class": head.get("StorageClass", "STANDARD"), + "user_metadata": head.get("Metadata", {}), + } + except ClientError as e: + metadata = {"error": str(e)} + + # Download with hash computation + sha256 = hashlib.sha256() + try: + s3.download_file(bucket, key, local_path) + with open(local_path, "rb") as f: + while True: + chunk = f.read(8192) + if not chunk: + break + sha256.update(chunk) + file_hash = sha256.hexdigest() + total_bytes += size + + entry = { + "source": f"s3://{bucket}/{key}", + "local_path": local_path, + "size": size, + "sha256": file_hash, + "metadata": metadata, + "acquired_at": datetime.now(timezone.utc).isoformat(), + "status": "OK", + } + print(f" [{total_objects:4d}] {key} ({size} bytes, SHA256: {file_hash[:16]}...)") + except ClientError as e: + entry = { + "source": f"s3://{bucket}/{key}", + "status": "FAIL", + "error": str(e), + "acquired_at": datetime.now(timezone.utc).isoformat(), + } + print(f" [FAIL] {key}: {e}") + + evidence_log.append(entry) + + print(f"[+] Acquired {total_objects} objects ({total_bytes / 1024 / 1024:.2f} MB)") + return evidence_log + + +def acquire_s3_versions(bucket, key, output_dir=".", profile=None, region=None): + """Acquire all versions of a specific S3 object.""" + if not HAS_BOTO3: + print("[!] boto3 required", file=sys.stderr) + sys.exit(1) + + kwargs = {} + if profile: + kwargs["profile_name"] = profile + if region: + kwargs["region_name"] = region + session = boto3.Session(**kwargs) + s3 = session.client("s3") + + print(f"[*] Acquiring all versions of s3://{bucket}/{key}") + evidence_log = [] -def run_scan(target, token=None): - findings = [] - if not requests: return [{"error": "requests required"}] - headers = {"Authorization": f"Bearer {token}"} if token else {} try: - resp = requests.get(f"{target}", headers=headers, timeout=15) - if resp.status_code == 200: - findings.append({"check": "Target Accessible", "status": "OK", "severity": "INFO"}) + versions = s3.list_object_versions(Bucket=bucket, Prefix=key) + except ClientError as e: + print(f"[!] Error listing versions: {e}", file=sys.stderr) + return evidence_log + + for version in versions.get("Versions", []): + vid = version.get("VersionId", "null") + size = version.get("Size", 0) + is_latest = version.get("IsLatest", False) + + safe_vid = vid.replace("/", "_")[:20] + base_name = os.path.basename(key) + local_path = os.path.join(output_dir, f"{base_name}.v_{safe_vid}") + + try: + s3.download_file(bucket, key, local_path, + ExtraArgs={"VersionId": vid} if vid != "null" else {}) + sha256 = hashlib.sha256() + with open(local_path, "rb") as f: + while True: + chunk = f.read(8192) + if not chunk: + break + sha256.update(chunk) + + entry = { + "source": f"s3://{bucket}/{key}?versionId={vid}", + "version_id": vid, + "is_latest": is_latest, + "local_path": local_path, + "size": size, + "sha256": sha256.hexdigest(), + "last_modified": str(version.get("LastModified", "")), + "acquired_at": datetime.now(timezone.utc).isoformat(), + "status": "OK", + } + print(f" Version {vid[:12]:12s} | {size:10d} bytes | " + f"{'LATEST' if is_latest else ' '} | SHA256: {sha256.hexdigest()[:16]}...") + except ClientError as e: + entry = {"source": f"s3://{bucket}/{key}", "version_id": vid, + "status": "FAIL", "error": str(e)} + + evidence_log.append(entry) + + # Also acquire delete markers + for marker in versions.get("DeleteMarkers", []): + evidence_log.append({ + "source": f"s3://{bucket}/{key}", + "version_id": marker.get("VersionId", ""), + "type": "DELETE_MARKER", + "last_modified": str(marker.get("LastModified", "")), + "is_latest": marker.get("IsLatest", False), + }) + + return evidence_log + + +def verify_integrity(evidence_log): + """Verify SHA-256 hashes of acquired files.""" + print(f"\n[*] Verifying integrity of {len(evidence_log)} acquired objects...") + verified = 0 + failed = 0 + + for entry in evidence_log: + if entry.get("status") != "OK" or not entry.get("local_path"): + continue + local_path = entry["local_path"] + expected_hash = entry.get("sha256", "") + if not os.path.isfile(local_path): + entry["integrity"] = "MISSING" + failed += 1 + continue + + sha256 = hashlib.sha256() + with open(local_path, "rb") as f: + while True: + chunk = f.read(8192) + if not chunk: + break + sha256.update(chunk) + + if sha256.hexdigest() == expected_hash: + entry["integrity"] = "VERIFIED" + verified += 1 else: - findings.append({"check": "Target Access", "status": f"HTTP {resp.status_code}", "severity": "MEDIUM"}) - except requests.RequestException as e: - findings.append({"error": str(e)}) - return findings + entry["integrity"] = "MISMATCH" + failed += 1 + print(f" [FAIL] {local_path}: hash mismatch") + + print(f"[+] Integrity check: {verified} verified, {failed} failed") + return verified, failed + + +def format_summary(evidence_log, verified, failed): + """Print acquisition summary.""" + print(f"\n{'='*60}") + print(f" Cloud Storage Forensic Acquisition Report") + print(f"{'='*60}") + ok = sum(1 for e in evidence_log if e.get("status") == "OK") + err = sum(1 for e in evidence_log if e.get("status") == "FAIL") + total_bytes = sum(e.get("size", 0) for e in evidence_log if e.get("status") == "OK") + print(f" Objects Acquired : {ok}") + print(f" Objects Failed : {err}") + print(f" Total Size : {total_bytes / 1024 / 1024:.2f} MB") + print(f" Integrity OK : {verified}") + print(f" Integrity FAIL : {failed}") -def analyze_results(target, token=None): - findings = [] - if not requests: return [] - headers = {"Authorization": f"Bearer {token}"} if token else {} - try: - resp = requests.get(f"{target}/api/v1/results", headers=headers, timeout=15) - if resp.status_code == 200: - data = resp.json() - for item in data.get("findings", data.get("results", [])): - severity = item.get("severity", item.get("risk", "MEDIUM")) - findings.append({"check": item.get("name", item.get("title", "unknown")), - "severity": severity.upper() if isinstance(severity, str) else "MEDIUM"}) - except requests.RequestException: - pass - return findings def main(): - p = argparse.ArgumentParser(description="Cloud storage forensic acquisition agent") - p.add_argument("--target", required=True, help="Target URL or IP") - p.add_argument("--token", help="API token") - p.add_argument("--output", "-o", help="Output JSON report") - p.add_argument("--verbose", "-v", action="store_true") - a = p.parse_args() - print("[*] Cloud storage forensic acquisition agent") - report = {"timestamp": datetime.now(timezone.utc).isoformat(), "target": a.target, "findings": []} - report["findings"].extend(run_scan(a.target, a.token)) - report["findings"].extend(analyze_results(a.target, a.token)) - high = sum(1 for f in report["findings"] if f.get("severity") in ("HIGH", "CRITICAL")) - report["risk_level"] = "CRITICAL" if high > 2 else "HIGH" if high else "MEDIUM" if report["findings"] else "LOW" - print(f"[*] {len(report['findings'])} findings, risk: {report['risk_level']}") - if a.output: - with open(a.output, "w") as f: json.dump(report, f, indent=2) - else: + parser = argparse.ArgumentParser( + description="Cloud storage forensic acquisition agent" + ) + sub = parser.add_subparsers(dest="command") + + p_s3 = sub.add_parser("s3", help="Acquire S3 bucket objects") + p_s3.add_argument("--bucket", required=True, help="S3 bucket name") + p_s3.add_argument("--prefix", default="", help="Object key prefix filter") + p_s3.add_argument("--output-dir", default="./evidence", help="Local output directory") + + p_ver = sub.add_parser("s3-versions", help="Acquire all versions of S3 object") + p_ver.add_argument("--bucket", required=True) + p_ver.add_argument("--key", required=True, help="S3 object key") + p_ver.add_argument("--output-dir", default="./evidence") + + parser.add_argument("--profile", help="AWS CLI profile") + parser.add_argument("--region", help="AWS region") + parser.add_argument("--skip-verify", action="store_true", help="Skip integrity verification") + parser.add_argument("--output", "-o", help="Output JSON report path") + parser.add_argument("--verbose", "-v", action="store_true") + args = parser.parse_args() + + if not args.command: + parser.print_help() + sys.exit(1) + + os.makedirs(getattr(args, "output_dir", "./evidence"), exist_ok=True) + + if args.command == "s3": + evidence_log = acquire_s3_objects( + args.bucket, args.prefix, args.output_dir, args.profile, args.region + ) + elif args.command == "s3-versions": + evidence_log = acquire_s3_versions( + args.bucket, args.key, args.output_dir, args.profile, args.region + ) + + verified, failed = 0, 0 + if not args.skip_verify: + verified, failed = verify_integrity(evidence_log) + + format_summary(evidence_log, verified, failed) + + report = { + "timestamp": datetime.now(timezone.utc).isoformat(), + "tool": "Cloud Forensic Acquisition", + "command": args.command, + "evidence_log": evidence_log, + "integrity": {"verified": verified, "failed": failed}, + } + + if args.output: + with open(args.output, "w") as f: + json.dump(report, f, indent=2) + print(f"\n[+] Report saved to {args.output}") + elif args.verbose: print(json.dumps(report, indent=2)) + if __name__ == "__main__": main() diff --git a/skills/performing-container-image-hardening/references/api-reference.md b/skills/performing-container-image-hardening/references/api-reference.md index 37ef5cf9..a59de5ca 100644 --- a/skills/performing-container-image-hardening/references/api-reference.md +++ b/skills/performing-container-image-hardening/references/api-reference.md @@ -1,27 +1,191 @@ -# API Reference: Container image hardening audit agent +# API Reference: Container Image Hardening Audit -## API Details -trivy image --format json, docker inspect, Dockerfile lint, base image analysis +## Libraries Used + +| Library | Purpose | +|---------|---------| +| `subprocess` | Execute Trivy, Docker, and hadolint CLI commands | +| `json` | Parse vulnerability scan and inspection results | +| `re` | Analyze Dockerfile instructions | +| `pathlib` | Handle Dockerfile and image paths | ## Installation + ```bash -pip install subprocess +# Trivy vulnerability scanner +curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + +# Hadolint Dockerfile linter +wget -O /usr/local/bin/hadolint https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 +chmod +x /usr/local/bin/hadolint + +# Docker CLI (already installed in most environments) ``` -## Libraries +## Trivy Image Scanning -| Library | Use | -|---------|-----| -| `subprocess` | subprocess | +### Scan Image for Vulnerabilities +```python +import subprocess +import json -## Authentication +def scan_image(image_name, severity="CRITICAL,HIGH"): + cmd = [ + "trivy", "image", + "--format", "json", + "--severity", severity, + "--exit-code", "0", + image_name, + ] + result = subprocess.run(cmd, capture_output=True, text=True, timeout=300) + return json.loads(result.stdout) if result.stdout else {} +``` -| Method | Header | -|--------|--------| -| Bearer Token | `Authorization: Bearer ` | -| API Key | `X-API-Key: ` | +### Scan for Secrets in Image +```python +def scan_secrets(image_name): + cmd = [ + "trivy", "image", + "--format", "json", + "--scanners", "secret", + image_name, + ] + result = subprocess.run(cmd, capture_output=True, text=True, timeout=300) + return json.loads(result.stdout) if result.stdout else {} +``` + +### Scan for Misconfigurations +```python +def scan_misconfig(image_name): + cmd = [ + "trivy", "image", + "--format", "json", + "--scanners", "misconfig", + image_name, + ] + result = subprocess.run(cmd, capture_output=True, text=True, timeout=300) + return json.loads(result.stdout) if result.stdout else {} +``` + +## Docker Image Inspection + +### Inspect Image Metadata +```python +def inspect_image(image_name): + cmd = ["docker", "inspect", image_name] + result = subprocess.run(cmd, capture_output=True, text=True, timeout=30) + data = json.loads(result.stdout)[0] + config = data.get("Config", {}) + return { + "image": image_name, + "user": config.get("User", "root"), + "exposed_ports": list(config.get("ExposedPorts", {}).keys()), + "env_vars": config.get("Env", []), + "entrypoint": config.get("Entrypoint"), + "cmd": config.get("Cmd"), + "labels": config.get("Labels", {}), + "layers": len(data.get("RootFS", {}).get("Layers", [])), + "size_mb": round(data.get("Size", 0) / 1048576, 1), + } +``` + +### Check for Root User +```python +def check_non_root(image_name): + inspection = inspect_image(image_name) + user = inspection["user"] + return { + "image": image_name, + "runs_as_root": user in ("", "root", "0"), + "user": user or "root (default)", + "severity": "high" if user in ("", "root", "0") else "pass", + } +``` + +## Hadolint Dockerfile Linting + +```python +def lint_dockerfile(dockerfile_path): + cmd = [ + "hadolint", + "--format", "json", + str(dockerfile_path), + ] + result = subprocess.run(cmd, capture_output=True, text=True, timeout=30) + findings = json.loads(result.stdout) if result.stdout else [] + return [ + { + "line": f["line"], + "code": f["code"], + "level": f["level"], + "message": f["message"], + } + for f in findings + ] +``` + +## Hardening Checks + +### Common Dockerfile Issues +```python +def audit_dockerfile(dockerfile_path): + findings = [] + with open(dockerfile_path) as f: + lines = f.readlines() + + has_user = False + has_healthcheck = False + + for i, line in enumerate(lines, 1): + stripped = line.strip() + if stripped.startswith("USER") and stripped.split()[-1] not in ("root", "0"): + has_user = True + if stripped.startswith("HEALTHCHECK"): + has_healthcheck = True + if stripped.startswith("FROM") and ":latest" in stripped: + findings.append({ + "line": i, "severity": "medium", + "issue": "Using :latest tag — pin specific version", + }) + if "ADD" in stripped and ("http://" in stripped or "https://" in stripped): + findings.append({ + "line": i, "severity": "high", + "issue": "ADD with remote URL — use COPY + curl for verification", + }) + + if not has_user: + findings.append({"line": 0, "severity": "high", "issue": "No USER instruction — runs as root"}) + if not has_healthcheck: + findings.append({"line": 0, "severity": "low", "issue": "No HEALTHCHECK instruction"}) + + return findings +``` ## Output Format + ```json -{"timestamp": "ISO-8601", "target": "URL", "findings": [], "risk_level": "HIGH"} +{ + "image": "myapp:v1.2.3", + "vulnerabilities": { + "critical": 2, + "high": 8, + "medium": 15, + "low": 23 + }, + "runs_as_root": false, + "size_mb": 142.5, + "layers": 12, + "dockerfile_issues": 3, + "secrets_found": 0, + "findings": [ + { + "type": "vulnerability", + "package": "openssl", + "installed": "3.0.2", + "fixed": "3.0.13", + "severity": "CRITICAL", + "cve": "CVE-2024-0727" + } + ] +} ``` diff --git a/skills/performing-container-security-scanning-with-trivy/SKILL.md b/skills/performing-container-security-scanning-with-trivy/SKILL.md index 1713285a..816ee7e8 100644 --- a/skills/performing-container-security-scanning-with-trivy/SKILL.md +++ b/skills/performing-container-security-scanning-with-trivy/SKILL.md @@ -15,6 +15,14 @@ license: Apache-2.0 Trivy is an open-source security scanner by Aqua Security that detects vulnerabilities in OS packages and language-specific dependencies, infrastructure-as-code misconfigurations, exposed secrets, and software license issues across container images, filesystems, Git repositories, and Kubernetes clusters. Trivy generates Software Bill of Materials (SBOM) in CycloneDX and SPDX formats for supply chain transparency. This skill covers comprehensive container image scanning, CI/CD pipeline integration, Kubernetes operator deployment, and scan result triage for security operations. + +## When to Use + +- When conducting security assessments that involve performing container security scanning with trivy +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + ## Prerequisites - Trivy v0.50+ installed (binary, Docker, or Homebrew) diff --git a/skills/performing-content-security-policy-bypass/references/api-reference.md b/skills/performing-content-security-policy-bypass/references/api-reference.md index 0a11b124..9d8f5f66 100644 --- a/skills/performing-content-security-policy-bypass/references/api-reference.md +++ b/skills/performing-content-security-policy-bypass/references/api-reference.md @@ -1,28 +1,211 @@ -# API Reference: CSP bypass testing agent +# API Reference: Content Security Policy (CSP) Bypass Testing -## API Details -Content-Security-Policy header parsing, directive analysis, bypass vectors, nonce detection +## Libraries Used + +| Library | Purpose | +|---------|---------| +| `requests` | Fetch target page headers and HTML content | +| `re` | Parse CSP directives and detect bypass patterns | +| `json` | Structure findings and report output | +| `urllib.parse` | Parse and analyze allowed CSP source domains | ## Installation + ```bash -pip install requests re +pip install requests ``` -## Libraries +## CSP Directive Reference -| Library | Use | -|---------|-----| -| `requests` | requests | -| `re` | re | +| Directive | Controls | +|-----------|----------| +| `default-src` | Fallback for all resource types | +| `script-src` | JavaScript execution sources | +| `style-src` | CSS stylesheet sources | +| `img-src` | Image sources | +| `connect-src` | XMLHttpRequest, fetch, WebSocket | +| `font-src` | Font file sources | +| `object-src` | Plugin sources (Flash, Java) | +| `frame-src` | iframe embedding sources | +| `base-uri` | Controls `` tag URLs | +| `form-action` | Controls form submission targets | +| `frame-ancestors` | Controls who can embed this page | +| `report-uri` | CSP violation report endpoint | -## Authentication +## Core Operations -| Method | Header | -|--------|--------| -| Bearer Token | `Authorization: Bearer ` | -| API Key | `X-API-Key: ` | +### Fetch and Parse CSP Header +```python +import requests +import re + +def get_csp(url): + resp = requests.get(url, timeout=10) + csp = resp.headers.get("Content-Security-Policy", "") + csp_ro = resp.headers.get("Content-Security-Policy-Report-Only", "") + return { + "url": url, + "csp": csp, + "csp_report_only": csp_ro, + "has_csp": bool(csp), + "directives": parse_csp(csp) if csp else {}, + } + +def parse_csp(csp_string): + directives = {} + for directive in csp_string.split(";"): + parts = directive.strip().split() + if parts: + name = parts[0].lower() + values = parts[1:] if len(parts) > 1 else [] + directives[name] = values + return directives +``` + +### Analyze CSP for Weaknesses +```python +BYPASS_PATTERNS = { + "'unsafe-inline'": "Allows inline scripts — XSS bypass", + "'unsafe-eval'": "Allows eval() — code injection bypass", + "data:": "Allows data: URIs — can inject inline content", + "blob:": "Allows blob: URIs — can create executable blobs", + "*": "Wildcard source — no effective restriction", + "http:": "Allows HTTP — mixed content / MITM bypass", +} + +JSONP_ENDPOINTS = [ + "accounts.google.com", "ajax.googleapis.com", + "cdn.jsdelivr.net", "cdnjs.cloudflare.com", + "*.githubusercontent.com", "raw.githubusercontent.com", +] + +def analyze_csp(directives): + findings = [] + + # Check for missing critical directives + if "default-src" not in directives and "script-src" not in directives: + findings.append({ + "directive": "script-src", + "issue": "No script-src or default-src — scripts unrestricted", + "severity": "critical", + }) + + if "object-src" not in directives: + findings.append({ + "directive": "object-src", + "issue": "Missing object-src — plugin-based XSS possible", + "severity": "high", + }) + + if "base-uri" not in directives: + findings.append({ + "directive": "base-uri", + "issue": "Missing base-uri — base tag injection possible", + "severity": "medium", + }) + + # Check each directive for bypass patterns + for directive, values in directives.items(): + for value in values: + if value in BYPASS_PATTERNS: + findings.append({ + "directive": directive, + "value": value, + "issue": BYPASS_PATTERNS[value], + "severity": "high" if value in ("'unsafe-inline'", "'unsafe-eval'", "*") else "medium", + }) + + # Check for JSONP-hosting CDNs + for jsonp_host in JSONP_ENDPOINTS: + if jsonp_host in value or value.endswith(jsonp_host): + findings.append({ + "directive": directive, + "value": value, + "issue": f"Allows {jsonp_host} — JSONP/script gadget bypass possible", + "severity": "high", + }) + + return findings +``` + +### Check for Nonce/Hash Based CSP +```python +def check_nonce_hash(directives, html_content): + script_src = directives.get("script-src", []) + + nonces = [v for v in script_src if v.startswith("'nonce-")] + hashes = [v for v in script_src if v.startswith("'sha256-") or v.startswith("'sha384-")] + + findings = [] + if nonces: + # Check if nonce is reused (static) + nonce_value = nonces[0].strip("'").replace("nonce-", "") + if len(nonce_value) < 16: + findings.append({ + "issue": "Nonce is too short — may be predictable", + "severity": "medium", + }) + + if not nonces and not hashes and "'strict-dynamic'" not in script_src: + if "'unsafe-inline'" not in script_src: + findings.append({ + "issue": "No nonce, hash, or strict-dynamic — consider adding", + "severity": "info", + }) + + return {"nonces": len(nonces), "hashes": len(hashes), "findings": findings} +``` + +### Generate Bypass Payloads +```python +def suggest_bypasses(directives): + """Suggest CSP bypass techniques based on the policy.""" + bypasses = [] + script_src = directives.get("script-src", directives.get("default-src", [])) + + if "'unsafe-inline'" in script_src: + bypasses.append({ + "technique": "Inline script injection", + "payload": "", + }) + + if "'unsafe-eval'" in script_src: + bypasses.append({ + "technique": "eval() injection", + "payload": "", + }) + + if any("googleapis.com" in v for v in script_src): + bypasses.append({ + "technique": "Google JSONP callback", + "payload": "", + }) + + if "data:" in script_src: + bypasses.append({ + "technique": "Data URI script", + "payload": "", + }) + + return bypasses +``` ## Output Format + ```json -{"timestamp": "ISO-8601", "target": "URL", "findings": [], "risk_level": "HIGH"} +{ + "url": "https://example.com", + "has_csp": true, + "directives_count": 8, + "findings": [ + { + "directive": "script-src", + "value": "'unsafe-inline'", + "issue": "Allows inline scripts — XSS bypass", + "severity": "high" + } + ], + "bypass_techniques": 2, + "overall_rating": "weak" +} ``` diff --git a/skills/performing-content-security-policy-bypass/scripts/agent.py b/skills/performing-content-security-policy-bypass/scripts/agent.py index d64bf933..512e8a9c 100644 --- a/skills/performing-content-security-policy-bypass/scripts/agent.py +++ b/skills/performing-content-security-policy-bypass/scripts/agent.py @@ -1,60 +1,312 @@ #!/usr/bin/env python3 -"""CSP bypass testing agent.""" -import argparse, json +"""Content Security Policy (CSP) analysis and bypass testing agent. + +Fetches and analyzes CSP headers from web applications to identify +misconfigurations, overly permissive directives, and potential bypass +vectors. Tests for unsafe-inline, unsafe-eval, wildcard sources, +missing directives, and known CSP bypass patterns. + +AUTHORIZED TESTING ONLY: Only use against targets you have explicit +written permission to test. +""" +import argparse +import json +import re +import sys from datetime import datetime, timezone + try: import requests except ImportError: - requests = None + print("[!] 'requests' library required: pip install requests", file=sys.stderr) + sys.exit(1) -def run_scan(target, token=None): + +CSP_DIRECTIVES = [ + "default-src", "script-src", "style-src", "img-src", "font-src", + "connect-src", "media-src", "object-src", "frame-src", "child-src", + "worker-src", "frame-ancestors", "form-action", "base-uri", + "manifest-src", "prefetch-src", "navigate-to", +] + + +def fetch_csp(url, headers=None, cookies=None): + """Fetch CSP header(s) from a URL.""" + print(f"[*] Fetching CSP from {url}") + h = headers or {} + c = cookies or {} + resp = requests.get(url, headers=h, cookies=c, timeout=15, allow_redirects=True) + csp_header = resp.headers.get("Content-Security-Policy", "") + csp_ro = resp.headers.get("Content-Security-Policy-Report-Only", "") + print(f"[+] Status: {resp.status_code}") + if csp_header: + print(f"[+] CSP header found ({len(csp_header)} chars)") + else: + print("[!] No CSP header found") + if csp_ro: + print(f"[+] CSP-Report-Only header found ({len(csp_ro)} chars)") + return csp_header, csp_ro, resp.status_code + + +def parse_csp(csp_string): + """Parse a CSP string into a structured dict.""" + directives = {} + if not csp_string: + return directives + for part in csp_string.split(";"): + part = part.strip() + if not part: + continue + tokens = part.split() + if tokens: + directive_name = tokens[0].lower() + values = tokens[1:] if len(tokens) > 1 else [] + directives[directive_name] = values + return directives + + +def analyze_csp(directives, csp_string): + """Analyze CSP directives for security weaknesses.""" findings = [] - if not requests: return [{"error": "requests required"}] - headers = {"Authorization": f"Bearer {token}"} if token else {} - try: - resp = requests.get(f"{target}", headers=headers, timeout=15) - if resp.status_code == 200: - findings.append({"check": "Target Accessible", "status": "OK", "severity": "INFO"}) - else: - findings.append({"check": "Target Access", "status": f"HTTP {resp.status_code}", "severity": "MEDIUM"}) - except requests.RequestException as e: - findings.append({"error": str(e)}) + + # Missing CSP entirely + if not directives: + findings.append({ + "check": "CSP Header Present", + "severity": "HIGH", + "status": "MISSING", + "description": "No Content-Security-Policy header", + "recommendation": "Implement a CSP header", + }) + return findings + + # Check for missing critical directives + if "default-src" not in directives: + findings.append({ + "check": "default-src directive", + "severity": "HIGH", + "status": "MISSING", + "description": "No default-src fallback directive", + "recommendation": "Add default-src 'none' or default-src 'self'", + }) + + if "script-src" not in directives and "default-src" not in directives: + findings.append({ + "check": "script-src directive", + "severity": "CRITICAL", + "status": "MISSING", + "description": "No script-src or default-src; scripts unrestricted", + }) + + if "object-src" not in directives: + findings.append({ + "check": "object-src directive", + "severity": "MEDIUM", + "status": "MISSING", + "description": "Missing object-src; plugin-based XSS possible", + "recommendation": "Add object-src 'none'", + }) + + if "base-uri" not in directives: + findings.append({ + "check": "base-uri directive", + "severity": "MEDIUM", + "status": "MISSING", + "description": "Missing base-uri; base tag injection possible", + "recommendation": "Add base-uri 'self' or base-uri 'none'", + }) + + if "frame-ancestors" not in directives: + findings.append({ + "check": "frame-ancestors directive", + "severity": "MEDIUM", + "status": "MISSING", + "description": "Missing frame-ancestors; clickjacking possible", + "recommendation": "Add frame-ancestors 'self'", + }) + + # Analyze each directive + for directive, values in directives.items(): + values_str = " ".join(values) + + # unsafe-inline + if "'unsafe-inline'" in values: + sev = "CRITICAL" if directive in ("script-src", "default-src") else "MEDIUM" + findings.append({ + "check": f"unsafe-inline in {directive}", + "severity": sev, + "status": "FAIL", + "description": f"'unsafe-inline' allows inline scripts/styles in {directive}", + "bypass": "Inject inline